Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced persistent threat activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]136[.]53[.]4:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]136[.]53[.]4:8080 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]136[.]53[.]4:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 185[.]188[.]155[.]179:4444 | botnet_cc | 2026-06-15 | 93% |
| ip:port | 43[.]228[.]79[.]138:8080 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 151[.]239[.]24[.]141:9090 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 45[.]202[.]1[.]194:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]136[.]53[.]4:8000 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]136[.]53[.]4:8888 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]145[.]44[.]217:9999 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 162[.]243[.]15[.]224:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 43[.]228[.]79[.]138:80 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 43[.]228[.]79[.]138:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 43[.]228[.]79[.]138:808 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 8[.]152[.]2[.]86:8889 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 124[.]222[.]218[.]12:18443 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["8.136.53.4", "124.222.218.12", "45.202.1.194", "162.243.15.224", "8.152.2.86", "43.228.79.138", "151.239.24.141", "8.145.44.217", "185.188.155.179"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.136.53.4", "124.222.218.12", "45.202.1.194", "162.243.15.224", "8.152.2.86", "43.228.79.138", "151.239.24.141", "8.145.44.217", "185.188.155.179"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage
Description: A security team member is using Cobalt Strike for red teaming or penetration testing.
Filter/Exclusion: Check for process.name containing “cobaltstrike” or “cobaltstrike.exe” and filter by user with administrative privileges or known red teaming tools.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task is running a script to collect system logs using a tool like logparser or PowerShell for analysis.
Filter/Exclusion: Filter by process.name containing “logparser” or “powershell.exe” and check for process.args containing log collection commands.
Scenario: Admin Task for System Monitoring
Description: An administrator is running a monitoring tool like Process Explorer or Procmon to troubleshoot system performance.
Filter/Exclusion: Filter by process.name containing “procmon” or “process.explorer” and check for user context (e.g., user.name is an admin account).
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or tcpdump is capturing traffic for analysis.
Filter/Exclusion: Filter by process.name containing “wireshark” or “tcpdump” and check for process.args related to packet capture.
Scenario: Antivirus or EDR Tool Scanning
Description: An endpoint protection tool like Microsoft Defender or CrowdStrike Falcon is performing a full system scan.
Filter/Exclusion: Filter by process.name containing “defender” or “falcon” and check for process.args related to scanning or quarantine operations.