The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]108[.]49[.]157:8443 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 67[.]216[.]197[.]83:10000 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 47[.]122[.]118[.]128:443 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 47[.]122[.]118[.]128:80 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 47[.]122[.]118[.]128:8080 | botnet_cc | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["47.122.118.128", "67.216.197.83", "43.108.49.157"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.122.118.128", "67.216.197.83", "43.108.49.157"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team member is using Cobalt Strike for authorized penetration testing.
Filter/Exclusion: Check for presence of redteam or pentest in the command line or session context. Exclude processes initiated from a known red team directory (e.g., /opt/redteam/).
Scenario: Scheduled Job for System Maintenance
Description: A system administrator schedules a job to run a maintenance script that uses ps or tasklist commands, which may be flagged as Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes running under a known admin account (e.g., Administrator) or those matching a scheduled task name like SystemMaintenance.
Scenario: Use of ps or tasklist for Process Monitoring
Description: A system administrator uses ps or tasklist to monitor running processes as part of routine system monitoring.
Filter/Exclusion: Exclude processes where the command line includes ps or tasklist and the user is a known admin or sysadmin (e.g., [email protected]).
Scenario: Cobalt Strike Used for Internal Tooling
Description: An internal security team uses Cobalt Strike as part of their internal security tooling for simulation exercises.
Filter/Exclusion: Exclude processes that originate from a known internal tooling directory (e.g., /opt/internal-tools/) or are associated with a specific internal team (e.g., security-team).
Scenario: Legitimate Use of wmi for Remote Management
Description: A system administrator uses Windows Management Instrumentation (wmi) to remotely manage servers, which may be flagged due to its similarity to Cobalt Strike techniques.
*Filter/Ex