The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and exfiltration. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]94[.]233[.]166:4444 | botnet_cc | 2026-06-26 | 100% |
| ip:port | 67[.]216[.]197[.]83:2095 | botnet_cc | 2026-06-26 | 100% |
| ip:port | 142[.]248[.]138[.]80:8080 | botnet_cc | 2026-06-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["67.216.197.83", "142.248.138.80", "154.94.233.166"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["67.216.197.83", "142.248.138.80", "154.94.233.166"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to check in with the C2 server as part of a red team exercise or penetration test.
Filter/Exclusion: Exclude processes initiated by a known red team tool or scheduled task with a specific name like RedTeam_ScheduledCheckin.
Scenario: Admin Task Using Cobalt Strike for Internal Monitoring
Description: An administrator uses Cobalt Strike internally for security testing or monitoring purposes, which may trigger the rule due to the presence of known IOCs.
Filter/Exclusion: Exclude processes running under a specific admin account (e.g., SecurityTeamAdmin) or with a command-line argument indicating internal use (e.g., --internal-test).
Scenario: Cobalt Strike Beacon Used for Internal Threat Hunting
Description: A security team deploys a Cobalt Strike Beacon to simulate an attack and test detection capabilities within a controlled environment.
Filter/Exclusion: Exclude processes that match a known internal threat-hunting tool or have a specific file path like C:\SecurityTools\CobaltStrikeBeacon.exe.
Scenario: Cobalt Strike Used for Privilege Escalation Testing
Description: A red team member uses Cobalt Strike to test privilege escalation techniques, which may include executing payloads that match the rule’s IOCs.
Filter/Exclusion: Exclude processes initiated from a specific test environment directory (e.g., C:\RedTeam\Tests\) or with a specific user context (e.g., TestUser).
Scenario: Cobalt Strike Beacon Used for Log Collection
Description: A security tool or script uses Cobalt Strike Beacon to collect logs from multiple endpoints for analysis, which may trigger the rule due to the presence of Cobalt Strike artifacts.
*Filter/