The detection identifies potential Cobalt Strike C2 activity through known IOCs, indicating an adversary may be establishing command and control over the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]3[.]98[.]166:1234 | botnet_cc | 2026-04-22 | 100% |
| ip:port | 100[.]52[.]249[.]75:443 | botnet_cc | 2026-04-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["100.52.249.75", "192.3.98.166"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["100.52.249.75", "192.3.98.166"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Cobalt Strike for red team exercises
Filter/Exclusion: Check for presence of cobaltstrike.exe in known red team directories (e.g., C:\RedTeam\) and exclude processes launched from such paths.
Scenario: System administrator using Cobalt Strike for penetration testing
Filter/Exclusion: Exclude processes initiated by admin accounts with known penetration testing tools (e.g., C:\Tools\PenTesting\cobaltstrike.exe) and verify user context.
Scenario: Automated job that generates Cobalt Strike artifacts for documentation purposes
Filter/Exclusion: Exclude processes that run under a specific service account (e.g., svc_docs) and have a known job schedule in the task scheduler.
Scenario: Cobalt Strike used as a legitimate C2 tool in a security operations environment
Filter/Exclusion: Exclude processes that are part of a security team’s C2 infrastructure (e.g., C:\SecurityTools\CobaltStrike\) and are monitored by SOAR platforms.
Scenario: Cobalt Strike used for internal network mapping during a security assessment
Filter/Exclusion: Exclude processes that are initiated from a known security assessment toolset (e.g., C:\SecurityAssessment\) and are logged with a specific source IP.