The detection identifies potential Cobalt Strike infrastructure by monitoring known IOCs associated with the adversary’s command and control activities. SOC teams should proactively hunt for this behavior to detect early-stage compromise and prevent lateral movement within Azure Sentinel environments.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 10 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 119[.]29[.]117[.]194:443 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 198[.]44[.]177[.]179:8080 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 198[.]44[.]177[.]179:80 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 198[.]44[.]177[.]179:443 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 182[.]254[.]218[.]20:443 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 198[.]44[.]177[.]179:8081 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 60[.]204[.]186[.]112:7777 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 113[.]47[.]8[.]229:80 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 45[.]116[.]78[.]181:443 | botnet_cc | 2026-05-29 | 100% |
| domain | 1364170351-gsw88cee73.ap-guangzhou.tencentscf.com | botnet_cc | 2026-05-28 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["113.47.8.229", "45.116.78.181", "60.204.186.112", "182.254.218.20", "198.44.177.179", "119.29.117.194"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["113.47.8.229", "45.116.78.181", "60.204.186.112", "182.254.218.20", "198.44.177.179", "119.29.117.194"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["1364170351-gsw88cee73.ap-guangzhou.tencentscf.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform maintenance.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task Using Cobalt Strike for Red Team Exercises
Description: Security teams use Cobalt Strike as part of red team simulations or training exercises.
Filter/Exclusion: Exclude processes initiated by users with the RedTeam or SecurityTraining group membership, or where the command line includes --simulate or --training.
Scenario: System File Integrity Check Using Cobalt Strike
Description: A system administrator uses Cobalt Strike to test file integrity checks or network connectivity.
Filter/Exclusion: Exclude processes where the parent process is task scheduler or schtasks.exe, and the command line includes --integrity or --check.
Scenario: Cobalt Strike Used for Internal Network Discovery
Description: A network administrator uses Cobalt Strike to map internal network topology for documentation purposes.
Filter/Exclusion: Exclude processes where the command line includes --map or --network, and the user is part of the NetworkAdmin group.
Scenario: Cobalt Strike Beacon Used for System Monitoring
Description: A monitoring tool uses a Cobalt Strike beacon to collect system metrics or logs.
Filter/Exclusion: Exclude events where the beacon is configured with a custom payload for monitoring, and the command line includes --monitor or --collect.