Adversaries are leveraging Cobalt Strike IOCs to establish persistent command-and-control channels and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced persistent threat (APT) activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 117[.]159[.]27[.]165:9090 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 117[.]159[.]27[.]165:443 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 8[.]145[.]44[.]217:80 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 8[.]145[.]44[.]217:8080 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 8[.]145[.]44[.]217:443 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 8[.]145[.]44[.]217:8081 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 85[.]121[.]4[.]107:8443 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 110[.]42[.]219[.]9:443 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 110[.]42[.]219[.]9:80 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 110[.]42[.]219[.]9:8080 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 8[.]219[.]158[.]30:80 | botnet_cc | 2026-06-09 | 50% |
| ip:port | 194[.]38[.]138[.]155:8443 | botnet_cc | 2026-06-09 | 94% |
| ip:port | 120[.]55[.]246[.]213:18443 | botnet_cc | 2026-06-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["85.121.4.107", "117.159.27.165", "8.219.158.30", "110.42.219.9", "8.145.44.217", "120.55.246.213", "194.38.138.155"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.121.4.107", "117.159.27.165", "8.219.158.30", "110.42.219.9", "8.145.44.217", "120.55.246.213", "194.38.138.155"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team member is running Cobalt Strike as part of a controlled security assessment.
Filter/Exclusion: Check for presence of CobaltStrike.exe in a known red team directory (e.g., C:\RedTeam\) and exclude processes launched from that path.
Scenario: Scheduled Job for System Maintenance
Description: A scheduled task is running a PowerShell script that uses Invoke-WebRequest to fetch updates from a trusted internal server.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks running under a specific service account (e.g., DOMAIN\maintenance_svc).
Scenario: Admin Task for Log Collection
Description: An administrator is using a tool like LogParser or PowerShell to collect and analyze logs from a remote server.
Filter/Exclusion: Exclude processes initiated by logparser.exe or PowerShell scripts running under a specific admin account (e.g., DOMAIN\sysadmin).
Scenario: Internal Tool for Code Compilation
Description: A development team is using a build tool like MSBuild or Gradle that temporarily downloads dependencies from a trusted internal repository.
Filter/Exclusion: Exclude network requests to internal IP ranges (e.g., 10.0.0.0/8) or domains within the company’s domain (e.g., *.internal.corp).
Scenario: Antivirus or EDR Tool Scanning for Malware
Description: A security tool like Microsoft Defender or CrowdStrike is performing a full system scan and temporarily executes scripts or binaries.
Filter/Exclusion: Exclude processes initiated by known security tools (e.g., MsMpEng.exe,