The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistent access to the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 7 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 67[.]216[.]197[.]83:2083 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 67[.]216[.]197[.]83:2087 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 103[.]201[.]131[.]147:8888 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 67[.]216[.]197[.]83:2082 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 49[.]233[.]9[.]4:80 | botnet_cc | 2026-06-24 | 75% |
| domain | www.rmsmarineservice.com.qwqqwq.ggff.net | botnet_cc | 2026-06-24 | 75% |
| ip:port | 221[.]132[.]29[.]137:443 | botnet_cc | 2026-06-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["103.201.131.147", "49.233.9.4", "67.216.197.83", "221.132.29.137"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.201.131.147", "49.233.9.4", "67.216.197.83", "221.132.29.137"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["www.rmsmarineservice.com.qwqqwq.ggff.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task to Generate Cobalt Strike Reports
Description: An administrator uses Cobalt Strike to generate internal reports or export logs for compliance or auditing purposes.
Filter/Exclusion: Exclude events where the process name is cobaltstrike.exe and the command line includes --export or --report.
Scenario: PowerShell Script Using Cobalt Strike Modules
Description: A script runs Cobalt Strike modules (e.g., cobaltstrike.dll) as part of a legitimate automation task, such as generating payloads for testing.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes -Assembly or references cobaltstrike.dll in a known testing environment.
Scenario: Internal Tool for Red Team Exercises
Description: A red teaming tool or internal security tool uses Cobalt Strike IOCs as part of a controlled penetration test.
Filter/Exclusion: Exclude events where the process is associated with a known red teaming tool (e.g., metasploit, nmap, or sqlmap) or where the source IP is from an internal red team subnet.
Scenario: Malware Analysis Lab Environment
Description: A malware analysis lab runs Cobalt Strike in a sandboxed environment to analyze its behavior.
Filter/Exclusion: Exclude events where the process is running in a virtualized environment (e.g., VirtualBox, VMware) or where the file path includes analysis or