Adversaries may be using Cobalt Strike to establish command and control within the network, leveraging known IOCs to exfiltrate data and maintain persistence. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and disrupt advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 14 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]86[.]105[.]108:443 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 172[.]86[.]105[.]108:80 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 172[.]86[.]105[.]108:8080 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 124[.]222[.]155[.]113:80 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 124[.]222[.]155[.]113:443 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 124[.]222[.]155[.]113:8080 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 64[.]177[.]70[.]33:80 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 64[.]177[.]70[.]33:8080 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 172[.]86[.]105[.]108:8081 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 118[.]89[.]203[.]103:9999 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 155[.]94[.]193[.]170:8080 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 118[.]89[.]203[.]103:80 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 124[.]222[.]248[.]10:8088 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 8[.]163[.]104[.]36:80 | botnet_cc | 2026-06-03 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["64.177.70.33", "172.86.105.108", "118.89.203.103", "124.222.155.113", "155.94.193.170", "8.163.104.36", "124.222.248.10"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.177.70.33", "172.86.105.108", "118.89.203.103", "124.222.155.113", "155.94.193.170", "8.163.104.36", "124.222.248.10"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the process name or command line arguments. Exclude processes with --redteam or --authorized flags.
Scenario: Scheduled Job for System Maintenance
Description: A scheduled task may run a script that uses ps or tasklist commands, which could be flagged as Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with schtasks.exe or at.exe and filter for command lines containing tasklist or ps in a known maintenance script.
Scenario: Admin Task for Log Collection
Description: System administrators may use tools like logman or wevtutil to collect logs, which could be mistaken for Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes with logman or wevtutil in the command line, and filter for known admin tools used in log management.
Scenario: PowerShell Script for Patch Management
Description: A PowerShell script used for patch management may use Get-WmiObject or Invoke-Command, which could be flagged as Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes with powershell.exe and command lines containing Get-WmiObject, Invoke-Command, or patch in the script name.
Scenario: Network Monitoring Tool with Similar Behavior
Description: Tools like Wireshark or tcpdump may use similar command-line arguments or process names that match Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes with wireshark.exe, `