The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and lateral movement within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 21 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 165[.]154[.]227[.]66:8080 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 165[.]154[.]227[.]66:443 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 120[.]55[.]246[.]213:8443 | botnet_cc | 2026-06-07 | 50% |
| ip:port | 43[.]99[.]110[.]114:8888 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 119[.]91[.]78[.]3:808 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 165[.]154[.]227[.]66:80 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 154[.]198[.]49[.]31:8080 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 154[.]198[.]49[.]31:443 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 167[.]71[.]233[.]187:8080 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 167[.]71[.]233[.]187:80 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 47[.]101[.]51[.]235:8080 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 47[.]101[.]51[.]235:80 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 35[.]225[.]227[.]214:443 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 35[.]225[.]227[.]214:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 35[.]225[.]227[.]214:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 154[.]198[.]49[.]31:80 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 156[.]245[.]235[.]51:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 156[.]245[.]235[.]51:443 | botnet_cc | 2026-06-06 | 100% |
| domain | 1314180598-d1gxufiq1h.ap-guangzhou.tencentscf.com | botnet_cc | 2026-06-06 | 75% |
| ip:port | 101[.]201[.]111[.]98:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 101[.]201[.]111[.]98:443 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["35.225.227.214", "154.198.49.31", "47.101.51.235", "101.201.111.98", "167.71.233.187", "119.91.78.3", "120.55.246.213", "43.99.110.114", "165.154.227.66", "156.245.235.51"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["35.225.227.214", "154.198.49.31", "47.101.51.235", "101.201.111.98", "167.71.233.187", "119.91.78.3", "120.55.246.213", "43.99.110.114", "165.154.227.66", "156.245.235.51"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["1314180598-d1gxufiq1h.ap-guangzhou.tencentscf.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform maintenance tasks.
Filter/Exclusion: Exclude process names containing beacon or cobaltstrike and filter by user account (e.g., svc_cobaltstrike or admin).
Scenario: System Administration Task Using Cobalt Strike for Network Testing
Description: An admin uses Cobalt Strike for internal network testing or penetration testing in a controlled environment.
Filter/Exclusion: Exclude processes initiated by known admin accounts (e.g., Administrator, root) and filter by source IP within the internal network.
Scenario: Cobalt Strike Used for Internal Red Team Exercises
Description: Security teams use Cobalt Strike as part of red team exercises to simulate attacks and test defenses.
Filter/Exclusion: Exclude processes with command-line arguments containing --redteam or --exercise, or filter by user group (e.g., security_team).
Scenario: Cobalt Strike Beacon Used for Legitimate Remote Management
Description: A remote management tool (e.g., PsExec, PSEXEC, or WinRM) is used to execute Cobalt Strike beacons for remote system administration.
Filter/Exclusion: Exclude processes that originate from known remote management tools or use specific command-line switches (e.g., -s or -i).
Scenario: Cobalt Strike Beacon Used for Patch Deployment
Description: A beacon is used to deploy patches or updates across a network, mimicking a legitimate administrative task.
Filter/Exclusion: Exclude processes with command-line arguments containing patch, update, or deploy, and filter by user account (e.g., patch_admin).