Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and disrupt advanced persistent threat activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 50 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]188[.]119[.]7:443 | botnet_cc | 2026-05-25 | 70% |
| ip:port | 185[.]188[.]72[.]28:443 | botnet_cc | 2026-05-25 | 70% |
| ip:port | 45[.]67[.]216[.]142:443 | botnet_cc | 2026-05-25 | 70% |
| domain | 1364170351-fntufi0mu7.ap-guangzhou.tencentscf.com | botnet_cc | 2026-05-25 | 75% |
| ip:port | 178[.]154[.]192[.]211:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]218[.]92:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]197[.]33:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]197[.]84:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]217[.]149:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]195[.]3:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]241[.]10:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]225[.]21:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]204[.]219:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]246[.]238:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]221[.]167:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]231[.]45:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]214[.]82:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]254[.]6:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]240[.]132:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]252[.]97:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]221[.]93:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]197[.]224:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]206[.]19:443 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 178[.]154[.]222[.]195:443 | botnet_cc | 2026-05-25 | 85% |
| ip:port | 178[.]154[.]208[.]54:443 | botnet_cc | 2026-05-25 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["178.154.202.31", "178.154.197.84", "178.154.208.54", "178.154.203.218", "178.154.254.215", "178.154.222.195", "178.154.252.244", "119.91.254.26", "178.154.254.6", "185.188.119.7", "178.154.225.78", "178.154.246.238", "185.188.72.28", "8.136.217.32", "1.92.95.105", "178.154.253.119", "178.154.253.223", "178.154.221.167", "178.154.218.92", "178.154.209.249", "178.154.221.93", "8.210.103.84", "37.120.163.114", "47.239.20.75", "178.154.252.97", "178.154.233.48", "178.154.240.132", "134.175.78.181", "178.154.197.33", "178.154.214.82", "178.154.195.3", "178.154.223.251", "178.154.217.149", "43.138.192.16", "178.154.206.19", "178.154.231.45", "178.154.225.21", "178.154.192.211", "45.67.216.142", "178.154.241.10", "178.154.204.219", "178.154.197.224", "37.120.139.245", "178.154.224.141"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.154.202.31", "178.154.197.84", "178.154.208.54", "178.154.203.218", "178.154.254.215", "178.154.222.195", "178.154.252.244", "119.91.254.26", "178.154.254.6", "185.188.119.7", "178.154.225.78", "178.154.246.238", "185.188.72.28", "8.136.217.32", "1.92.95.105", "178.154.253.119", "178.154.253.223", "178.154.221.167", "178.154.218.92", "178.154.209.249", "178.154.221.93", "8.210.103.84", "37.120.163.114", "47.239.20.75", "178.154.252.97", "178.154.233.48", "178.154.240.132", "134.175.78.181", "178.154.197.33", "178.154.214.82", "178.154.195.3", "178.154.223.251", "178.154.217.149", "43.138.192.16", "178.154.206.19", "178.154.231.45", "178.154.225.21", "178.154.192.211", "45.67.216.142", "178.154.241.10", "178.154.204.219", "178.154.197.224", "37.120.139.245", "178.154.224.141"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["1364170351-fntufi0mu7.ap-guangzhou.tencentscf.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to check in with the C2 server as part of a red team exercise or penetration test.
Filter/Exclusion: Exclude processes with CommandLine containing --checkin or --heartbeat and where the parent process is a known red team tool (e.g., msfvenom, powerview).
Scenario: System Maintenance Task Using Cobalt Strike
Description: An admin uses Cobalt Strike to perform a system maintenance task, such as collecting system information or running a diagnostic script.
Filter/Exclusion: Exclude processes with CommandLine containing --info or --systeminfo and where the user is a domain admin or has elevated privileges.
Scenario: Cobalt Strike Used for Internal Red Team Engagement
Description: A red team member uses Cobalt Strike to simulate an attack within a secure environment for training purposes.
Filter/Exclusion: Exclude processes where the user is a red team member, and the process is running from a known red team directory (e.g., C:\RedTeam\).
Scenario: Cobalt Strike Beacon Used for Log Collection
Description: A system administrator uses Cobalt Strike to collect logs from multiple endpoints for troubleshooting or compliance purposes.
Filter/Exclusion: Exclude processes with CommandLine containing --log or --collect and where the user is a sysadmin or has a specific log collection role.
Scenario: Cobalt Strike Beacon Used for Network Discovery
Description: A network administrator uses Cobalt Strike to discover network devices or services for inventory purposes.
Filter/Exclusion: Exclude processes with CommandLine containing --discover or --networkscan and where the user has network