The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]255[.]157[.]229:8080 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 107[.]150[.]105[.]91:8080 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 204[.]194[.]49[.]142:80 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 101[.]201[.]105[.]51:8089 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 43[.]255[.]157[.]229:8081 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 43[.]255[.]157[.]229:443 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 43[.]255[.]157[.]229:80 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 124[.]222[.]248[.]10:80 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 124[.]222[.]248[.]10:8080 | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["204.194.49.142", "124.222.248.10", "101.201.105.51", "107.150.105.91", "43.255.157.229"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["204.194.49.142", "124.222.248.10", "101.201.105.51", "107.150.105.91", "43.255.157.229"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes beacon or checkin.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: A security team member uses Cobalt Strike as part of a red team exercise to simulate an attack.
Filter/Exclusion: Exclude processes initiated from a known red team tooling directory (e.g., C:\RedTeam\) or where the user is a security admin with elevated privileges.
Scenario: Cobalt Strike Used for Remote Code Execution (RCE) in a Validated Environment
Description: A legitimate admin uses Cobalt Strike to execute scripts or commands on remote systems as part of system maintenance.
Filter/Exclusion: Exclude processes where the command line includes execute or run and the parent process is a known management tool (e.g., psexec.exe, winrm.exe).
Scenario: Cobalt Strike Beacon Used for Network Discovery in a Penetration Test
Description: During a penetration test, a Cobalt Strike Beacon is used to map the network and identify hosts.
Filter/Exclusion: Exclude processes where the user is a penetration tester with a known test environment (e.g., C:\PenTest\) or where the command line includes network scan or discover.
Scenario: Cobalt Strike Used for Log Collection in a Monitoring Tool
Description: A monitoring tool uses Cobalt Strike to collect logs from remote systems for analysis.
Filter/Exclusion: Exclude processes where the command line includes log collect or log gather