Adversaries are using Cobalt Strike to establish persistent command and control within the network, leveraging known IOCs to exfiltrate data and maintain stealth. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threat activity before it leads to data breaches or system compromise.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 22 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 113[.]45[.]226[.]61:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 121[.]89[.]81[.]108:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 156[.]245[.]235[.]51:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 47[.]101[.]51[.]235:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 39[.]97[.]243[.]199:8888 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 85[.]121[.]4[.]107:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 101[.]201[.]111[.]98:81 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 167[.]71[.]233[.]187:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 113[.]45[.]226[.]61:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 113[.]45[.]226[.]61:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 38[.]14[.]248[.]138:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 38[.]14[.]248[.]138:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 38[.]14[.]248[.]138:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 38[.]47[.]226[.]41:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 178[.]128[.]1[.]56:443 | botnet_cc | 2026-06-06 | 50% |
| ip:port | 44[.]218[.]174[.]67:80 | botnet_cc | 2026-06-06 | 50% |
| ip:port | 38[.]47[.]226[.]41:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 38[.]47[.]226[.]41:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 45[.]118[.]133[.]200:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 45[.]118[.]133[.]200:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 101[.]43[.]103[.]154:443 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 45[.]118[.]133[.]200:80 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["85.121.4.107", "38.47.226.41", "38.14.248.138", "178.128.1.56", "101.43.103.154", "167.71.233.187", "101.201.111.98", "113.45.226.61", "44.218.174.67", "39.97.243.199", "47.101.51.235", "121.89.81.108", "45.118.133.200", "156.245.235.51"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.121.4.107", "38.47.226.41", "38.14.248.138", "178.128.1.56", "101.43.103.154", "167.71.233.187", "101.201.111.98", "113.45.226.61", "44.218.174.67", "39.97.243.199", "47.101.51.235", "121.89.81.108", "45.118.133.200", "156.245.235.51"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to verify connectivity or check for updates.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe or task scheduler and the command line includes beacon or checkin.
Scenario: Admin Task Using Cobalt Strike for Internal Monitoring
Description: A system administrator uses Cobalt Strike as part of a red team exercise or internal security testing.
Filter/Exclusion: Exclude processes initiated from known admin tools like PowerShell.exe or cmd.exe with a command line containing -noconsole or runas.
Scenario: Cobalt Strike Beacon Used for Lateral Movement in a Multi-Step Penetration Test
Description: A red team deploys a Cobalt Strike Beacon as part of a multi-stage penetration test to move laterally within a network.
Filter/Exclusion: Exclude processes where the parent process is a known red team tool (e.g., Metasploit, Cobalt Strike) and the command line includes lateral or move.
Scenario: Cobalt Strike Beacon Used for Internal Threat Hunting
Description: Security analysts use a Cobalt Strike Beacon to simulate an attacker’s presence and test detection mechanisms.
Filter/Exclusion: Exclude processes where the command line includes simulate or threat_hunting and the parent process is a known security tool like Wireshark or Splunk.
Scenario: Cobalt Strike Beacon Used for Internal Network Mapping
Description: A network administrator uses Cobalt Strike Beacon to map internal network topology for documentation or troubleshooting.
Filter/Exclusion: Exclude processes where the command line includes map or discover and the parent process is