The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistent remote access to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they escalate.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 113[.]44[.]136[.]127:8087 | botnet_cc | 2026-06-02 | 75% |
| ip:port | 64[.]177[.]70[.]33:443 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 130[.]94[.]43[.]198:443 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 38[.]165[.]20[.]35:443 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 210[.]16[.]168[.]11:81 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 45[.]148[.]244[.]222:80 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 38[.]181[.]42[.]160:80 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 176[.]97[.]124[.]68:80 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 38[.]181[.]42[.]160:8080 | botnet_cc | 2026-06-02 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["210.16.168.11", "130.94.43.198", "176.97.124.68", "38.181.42.160", "45.148.244.222", "64.177.70.33", "38.165.20.35", "113.44.136.127"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["210.16.168.11", "130.94.43.198", "176.97.124.68", "38.181.42.160", "45.148.244.222", "64.177.70.33", "38.165.20.35", "113.44.136.127"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes with CommandLine containing beacon or checkin and associated with a known internal tool or scheduled task.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: An admin uses Cobalt Strike as part of a red team exercise to simulate an attack for training purposes.
Filter/Exclusion: Exclude processes with User field matching internal red team members or with CommandLine containing --redteam or --exercise.
Scenario: PowerShell Script Using Cobalt Strike Beacon for Automation
Description: A PowerShell script uses a Cobalt Strike beacon for automation tasks like system inventory or patch management.
Filter/Exclusion: Exclude processes with ProcessName powershell.exe and CommandLine containing Invoke-Command or Invoke-WebRequest with known internal endpoints.
Scenario: Cobalt Strike Beacon Used for Remote Administration
Description: A legitimate remote administration tool uses Cobalt Strike beacon for remote management tasks.
Filter/Exclusion: Exclude processes with ProcessName matching internal remote management tools (e.g., psexec.exe, PsExec.exe) or with User field matching IT admin groups.
Scenario: Cobalt Strike Beacon Used for Log Collection
Description: A log collection tool uses a Cobalt Strike beacon to gather system logs for monitoring or auditing.
Filter/Exclusion: Exclude processes with CommandLine containing logcollect, logrotate, or syslog and with User field matching log management teams.