Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced persistent threat activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 15 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 81[.]69[.]253[.]132:80 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 47[.]242[.]0[.]207:8080 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 47[.]242[.]0[.]207:9999 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 114[.]134[.]187[.]38:9999 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 151[.]239[.]24[.]122:8080 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 151[.]239[.]24[.]122:443 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 151[.]239[.]24[.]122:80 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 64[.]90[.]3[.]208:7891 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 185[.]92[.]190[.]214:8896 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 185[.]92[.]190[.]216:8896 | botnet_cc | 2026-06-19 | 75% |
| domain | www.api-aws.xyz | botnet_cc | 2026-06-19 | 75% |
| ip:port | 45[.]140[.]213[.]6:8080 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 167[.]71[.]233[.]187:4443 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 47[.]122[.]118[.]128:8443 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 151[.]239[.]24[.]122:9090 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["47.122.118.128", "185.92.190.216", "114.134.187.38", "167.71.233.187", "47.242.0.207", "151.239.24.122", "45.140.213.6", "185.92.190.214", "81.69.253.132", "64.90.3.208"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.122.118.128", "185.92.190.216", "114.134.187.38", "167.71.233.187", "47.242.0.207", "151.239.24.122", "45.140.213.6", "185.92.190.214", "81.69.253.132", "64.90.3.208"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["www.api-aws.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes where the command line includes beacon or checkin and the parent process is a known scheduling tool like schtasks.exe or Task Scheduler.
Scenario: Admin Task to Generate Cobalt Strike Reports
Description: An administrator uses Cobalt Strike to generate internal reports or test network connectivity.
Filter/Exclusion: Exclude processes initiated from the Cobalt Strike GUI or where the command line includes report or generate.
Scenario: PowerShell Script Using Cobalt Strike Modules
Description: A PowerShell script leverages Cobalt Strike modules for internal automation, such as log collection or system monitoring.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path is known internal script storage (e.g., C:\scripts\ or C:\tools\).
Scenario: Cobalt Strike Used for Internal Red Team Exercise
Description: A red team exercise uses Cobalt Strike to simulate an attack and test security controls.
Filter/Exclusion: Exclude processes where the command line includes redteam or exercise, and the user is a known red team member or has a specific security role.
Scenario: Cobalt Strike Beacon Used for Internal Monitoring
Description: A monitoring tool uses a Cobalt Strike beacon to track system performance or service status.
Filter/Exclusion: Exclude processes where the command line includes monitor or status, and the parent process is a known monitoring tool like Nagios or Zabbix.