Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential long-term persistence and active compromise. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 31 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 107[.]173[.]122[.]193:443 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 185[.]89[.]249[.]66:443 | botnet_cc | 2026-06-20 | 93% |
| ip:port | 154[.]37[.]215[.]213:88 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 111[.]231[.]173[.]74:8086 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 176[.]121[.]49[.]225:8086 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 89[.]169[.]183[.]76:80 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 8[.]152[.]2[.]86:9998 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 45[.]140[.]213[.]6:80 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 51[.]91[.]103[.]206:80 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 193[.]23[.]160[.]213:8080 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 193[.]23[.]160[.]213:4444 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 193[.]23[.]160[.]213:443 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 193[.]23[.]160[.]213:80 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 81[.]69[.]253[.]132:8080 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 81[.]69[.]253[.]132:443 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 116[.]204[.]36[.]177:8080 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 116[.]204[.]36[.]177:80 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 23[.]141[.]12[.]111:8899 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 149[.]88[.]66[.]234:8080 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 116[.]204[.]36[.]177:443 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 81[.]69[.]253[.]132:80 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 47[.]242[.]0[.]207:8080 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 47[.]242[.]0[.]207:9999 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 114[.]134[.]187[.]38:9999 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 151[.]239[.]24[.]122:8080 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["47.242.0.207", "154.37.215.213", "185.92.190.216", "51.91.103.206", "114.134.187.38", "45.140.213.6", "23.141.12.111", "116.204.36.177", "185.92.190.214", "64.90.3.208", "185.89.249.66", "81.69.253.132", "193.23.160.213", "89.169.183.76", "111.231.173.74", "8.152.2.86", "149.88.66.234", "176.121.49.225", "107.173.122.193", "151.239.24.122"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.242.0.207", "154.37.215.213", "185.92.190.216", "51.91.103.206", "114.134.187.38", "45.140.213.6", "23.141.12.111", "116.204.36.177", "185.92.190.214", "64.90.3.208", "185.89.249.66", "81.69.253.132", "193.23.160.213", "89.169.183.76", "111.231.173.74", "8.152.2.86", "149.88.66.234", "176.121.49.225", "107.173.122.193", "151.239.24.122"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["www.api-aws.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the user or task description, or filter by user group (e.g., redteam_users).
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled task may run Cobalt Strike binaries to collect logs or monitor system activity as part of compliance or security monitoring.
Filter/Exclusion: Exclude tasks that run under a specific service account (e.g., logcollector) or include log or monitor in the task name.
Scenario: Admin Task for Patch Management or System Updates
Description: System administrators may use Cobalt Strike to run scripts or tools for patching or system updates.
Filter/Exclusion: Filter by user account (e.g., admin, patchmgr) or check for presence of patch, update, or maintenance in the command line.
Scenario: Network Monitoring Tool Using Cobalt Strike for Traffic Analysis
Description: A legitimate network monitoring tool (e.g., Wireshark, tcpdump) may be run via Cobalt Strike for packet capture or analysis.
Filter/Exclusion: Exclude processes that include tcpdump, wireshark, or nmap in their command line arguments.
Scenario: Endpoint Detection and Response (EDR) Tool Integration
Description: An EDR tool (e.g., CrowdStrike, SentinelOne) may use Cobalt Strike for integration testing or compatibility checks.
Filter/Exclusion: Filter by process name (e.g., crowdstrike.exe, sentinelone.exe) or include a specific tag