The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]130[.]246[.]23:80 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 43[.]130[.]246[.]23:443 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 153[.]0[.]197[.]184:8555 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["43.130.246.23", "153.0.197.184"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.130.246.23", "153.0.197.184"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to check in with the C2 server as part of a red team exercise or pentest.
Filter/Exclusion: Exclude processes associated with known red team tools (e.g., cobaltstrike.exe, beacon.exe) or filter by user account (e.g., redteam\pentester).
Scenario: System Administrator Running Cobalt Strike for Internal Testing
Description: An admin uses Cobalt Strike for internal security testing or incident response simulation.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., Administrator, sysadmin) or filter by command-line arguments containing --test or --simulate.
Scenario: Microsoft Endpoint Manager (MEM) Scheduled Job Using Cobalt Strike
Description: A managed endpoint uses Cobalt Strike as part of a security tooling pipeline, such as a custom script or integration with MEM.
Filter/Exclusion: Exclude processes with parent process IDs matching known MEM services (e.g., msiexec.exe, taskeng.exe) or filter by file paths in known secure directories (e.g., C:\Program Files\).
Scenario: Cobalt Strike Used in a DevOps Pipeline for Infrastructure Testing
Description: A DevOps team uses Cobalt Strike in a CI/CD pipeline to test infrastructure security controls.
Filter/Exclusion: Exclude processes that originate from CI/CD agents (e.g., jenkins.exe, dockerd.exe) or filter by command-line arguments containing --devops or --pipeline.
Scenario: Cobalt Strike Beacon Used for Internal C2 Communication
Description: An internal security team uses a Cobalt Strike beacon to communicate with a secure internal C2 server