Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential compromise of critical systems. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 209[.]200[.]246[.]82:443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 209[.]200[.]246[.]82:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 209[.]200[.]246[.]82:8080 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]122[.]47[.]221:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]122[.]47[.]221:8080 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 101[.]133[.]169[.]173:443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 35[.]79[.]16[.]81:80 | botnet_cc | 2026-05-31 | 50% |
| ip:port | 82[.]157[.]52[.]180:80 | botnet_cc | 2026-05-31 | 50% |
| ip:port | 139[.]196[.]93[.]201:443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 139[.]196[.]93[.]201:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 120[.]48[.]66[.]205:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 120[.]48[.]66[.]205:8080 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]122[.]47[.]221:443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 113[.]31[.]106[.]210:80 | botnet_cc | 2026-05-30 | 100% |
| ip:port | 113[.]31[.]106[.]210:443 | botnet_cc | 2026-05-30 | 100% |
| ip:port | 113[.]31[.]106[.]210:8080 | botnet_cc | 2026-05-30 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["209.200.246.82", "47.122.47.221", "35.79.16.81", "139.196.93.201", "82.157.52.180", "113.31.106.210", "101.133.169.173", "120.48.66.205"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.200.246.82", "47.122.47.221", "35.79.16.81", "139.196.93.201", "82.157.52.180", "113.31.106.210", "101.133.169.173", "120.48.66.205"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage
Description: A security team member is using Cobalt Strike for red teaming or penetration testing.
Filter/Exclusion: Exclude processes initiated by user accounts with elevated privileges (e.g., admin, security_team) or those running from known red team directories (e.g., C:\RedTeam\).
Scenario: Scheduled Job for Log Collection
Description: A scheduled task is configured to collect logs using a tool that matches Cobalt Strike IOCs (e.g., logcollector.exe).
Filter/Exclusion: Exclude processes launched by the task scheduler (\Tasks\) or those running under the SYSTEM account.
Scenario: Admin Task for System Monitoring
Description: An admin is running a monitoring tool (e.g., ProcessMonitor.exe) that has similar command-line arguments to Cobalt Strike.
Filter/Exclusion: Exclude processes launched from known admin tools or those with specific command-line switches (e.g., /monitor or /log).
Scenario: PowerShell Script for System Maintenance
Description: A PowerShell script (e.g., SystemCleanup.ps1) is executed that uses modules or functions that match Cobalt Strike IOCs.
Filter/Exclusion: Exclude PowerShell processes that run from known system directories (e.g., C:\Windows\System32\) or that are signed by trusted publishers.
Scenario: Antivirus or EDR Tool Behavior
Description: An EDR tool (e.g., CrowdStrike, SentinelOne) is performing a scan and generates activity that matches Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with known EDR vendors or those running under the LocalSystem account.