Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threat activity before it causes significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 152[.]53[.]195[.]50:80 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 117[.]72[.]159[.]215:443 | botnet_cc | 2026-05-27 | 50% |
| ip:port | 8[.]163[.]49[.]50:80 | botnet_cc | 2026-05-27 | 50% |
| ip:port | 68[.]183[.]109[.]88:80 | botnet_cc | 2026-05-27 | 50% |
| ip:port | 134[.]122[.]134[.]243:80 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 134[.]122[.]134[.]243:8080 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 39[.]100[.]88[.]189:443 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 39[.]100[.]88[.]189:80 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 39[.]100[.]88[.]189:8080 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 152[.]53[.]195[.]50:4444 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 152[.]53[.]195[.]50:443 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 152[.]53[.]195[.]50:8080 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 121[.]37[.]200[.]35:80 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 124[.]70[.]184[.]106:443 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 60[.]205[.]109[.]25:51234 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 139[.]196[.]223[.]82:2443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 134[.]122[.]134[.]243:443 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["134.122.134.243", "121.37.200.35", "139.196.223.82", "117.72.159.215", "8.163.49.50", "152.53.195.50", "124.70.184.106", "60.205.109.25", "68.183.109.88", "39.100.88.189"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["134.122.134.243", "121.37.200.35", "139.196.223.82", "117.72.159.215", "8.163.49.50", "152.53.195.50", "124.70.184.106", "60.205.109.25", "68.183.109.88", "39.100.88.189"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform maintenance tasks.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line contains --checkin or --verify.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: Security administrators use Cobalt Strike for internal red team simulations or training exercises.
Filter/Exclusion: Exclude processes initiated by users with the Administrators group or with a known red team tooling user account (e.g., redteamadmin).
Scenario: Cobalt Strike Beacon Used for System Monitoring
Description: A beacon is used to monitor system performance or collect logs as part of a legitimate monitoring tool.
Filter/Exclusion: Exclude events where the beacon is running under a known monitoring service account or where the command line includes --monitor or --log.
Scenario: Cobalt Strike Beacon for Patch Management Testing
Description: A beacon is used to test patch deployment or system updates in a controlled environment.
Filter/Exclusion: Exclude events where the process is initiated by a patch management tool (e.g., SCCM, WSUS) or where the command line includes --patch or --test.
Scenario: Cobalt Strike Beacon for Network Discovery in a Segmented Environment
Description: A beacon is used to map internal network segments as part of a network discovery or inventory process.
Filter/Exclusion: Exclude events where the beacon is initiated by a network discovery tool (e.g., Nmap, Masscan) or where the command line includes --discover or --network.