The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and exfiltration. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]217[.]12[.]212:48080 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 1[.]13[.]141[.]229:8080 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 1[.]13[.]141[.]229:80 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 1[.]13[.]141[.]229:443 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["1.13.141.229", "8.217.12.212"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["1.13.141.229", "8.217.12.212"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes with CommandLine containing beacon or checkin and associated with a known internal tool or scheduled task.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: An administrator uses Cobalt Strike as part of a red team exercise to test internal defenses.
Filter/Exclusion: Exclude processes where the user is a member of the Red Team or Internal Security group, or where the process is initiated from a known red team lab directory.
Scenario: System File Integrity Check Using Cobalt Strike
Description: A system integrity check tool (e.g., Microsoft Baseline Security Analyzer) is mistakenly flagged due to a similar process name or command line.
Filter/Exclusion: Exclude processes with msbas or sfc in the command line, or where the parent process is svchost.exe or taskhost.exe.
Scenario: Legitimate Cobalt Strike Beacon for Remote Management
Description: A remote management tool (e.g., Microsoft Remote Desktop or Citrix) uses a Cobalt Strike beacon for secure communication.
Filter/Exclusion: Exclude processes where the parent process is a known remote management tool, or where the beacon is configured with internal IP ranges and known authentication tokens.
Scenario: Cobalt Strike Used for Internal Code Signing or Build Automation
Description: Cobalt Strike is used in a build pipeline or code signing process, triggering IOC matches.
Filter/Exclusion: Exclude processes where the command line includes build tools (e.g., msbuild, dotnet, gradle) or where the process is initiated from a CI/