The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and exfiltration. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 35[.]220[.]177[.]232:4343 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]20[.]109[.]225:8999 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 158[.]94[.]173[.]11:12345 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 43[.]138[.]186[.]157:9443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 47[.]236[.]110[.]1:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 47[.]236[.]110[.]1:8080 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 156[.]225[.]22[.]84:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 156[.]225[.]22[.]84:8080 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 180[.]131[.]145[.]97:9995 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["180.131.145.97", "43.138.186.157", "35.220.177.232", "47.236.110.1", "158.94.173.11", "156.225.22.84", "46.20.109.225"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["180.131.145.97", "43.138.186.157", "35.220.177.232", "47.236.110.1", "158.94.173.11", "156.225.22.84", "46.20.109.225"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check
Description: A legitimate scheduled job runs a Cobalt Strike Beacon check to verify connectivity or test payloads.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing beacon or check in the context of a scheduled task.
Scenario: Admin Task to Generate Cobalt Strike Payloads for Testing
Description: A system administrator uses Cobalt Strike for red team testing or training, generating payloads in a controlled environment.
Filter/Exclusion: Exclude processes initiated by users with elevated privileges (e.g., runas or sudo) or where the command line includes --test or --simulate.
Scenario: Log Collection Tool Using Cobalt Strike for Data Exfiltration
Description: A legitimate log collection tool (e.g., Splunk, ELK) is misconfigured to use Cobalt Strike for data exfiltration.
Filter/Exclusion: Exclude processes that are part of known log collection tools or have command lines containing exfil, upload, or transfer.
Scenario: Cobalt Strike Used for Internal Red Team Engagement
Description: A red team member uses Cobalt Strike to simulate an attack within the organization’s network for security training.
Filter/Exclusion: Exclude processes initiated from known red team tools or with a command line containing --redteam or --training.
Scenario: Cobalt Strike Beacon Used for Network Discovery in a Penetration Test
Description: During a penetration test, Cobalt Strike Beacon is used to map the network and identify live hosts.
Filter/Exclusion: Exclude processes where the command line includes --network, --discover, or --scan, or where the user is part of a known penetration testing team.