Adversaries may be using Cobalt Strike to establish command and control, leveraging known IOCs to exfiltrate data and maintain persistence within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential Cobalt Strike-based attacks before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 120[.]48[.]66[.]205:443 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 39[.]106[.]160[.]181:801 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 119[.]27[.]173[.]104:5555 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 47[.]95[.]255[.]110:443 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 47[.]95[.]255[.]110:8080 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 47[.]95[.]255[.]110:80 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 116[.]213[.]42[.]110:2003 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 116[.]213[.]42[.]110:443 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 116[.]213[.]42[.]110:80 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 39[.]106[.]160[.]181:808 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 8[.]163[.]49[.]50:8080 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 8[.]163[.]49[.]50:443 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 78[.]17[.]71[.]43:443 | botnet_cc | 2026-05-28 | 50% |
| ip:port | 39[.]106[.]160[.]181:443 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 39[.]106[.]160[.]181:8080 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 116[.]213[.]42[.]110:8080 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 39[.]106[.]160[.]181:80 | botnet_cc | 2026-05-28 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["119.27.173.104", "39.106.160.181", "47.95.255.110", "78.17.71.43", "120.48.66.205", "116.213.42.110", "8.163.49.50"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["119.27.173.104", "39.106.160.181", "47.95.255.110", "78.17.71.43", "120.48.66.205", "116.213.42.110", "8.163.49.50"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team member is running a Cobalt Strike simulation as part of a security training exercise.
Filter/Exclusion: Check for presence of redteam or training in the command line or process name, or filter by user (e.g., redteam_user).
Scenario: Scheduled Job for System Maintenance
Description: A scheduled job is running a maintenance script that uses ps or tasklist commands, which may be flagged as Cobalt Strike IOCs.
Filter/Exclusion: Filter by process name (e.g., schtasks.exe, task scheduler) or check for known maintenance scripts in the system path.
Scenario: Admin Task Involving Process Enumeration
Description: An administrator is using Process Explorer or PowerShell to enumerate running processes as part of routine system monitoring.
Filter/Exclusion: Filter by user (e.g., admin, system) or check for presence of Process Explorer or PowerShell in the command line.
Scenario: Cobalt Strike Beacon Communication with Internal Server
Description: A legitimate Cobalt Strike beacon is communicating with an internal C2 server for command and control.
Filter/Exclusion: Check for internal IP ranges in the C2 communication, or verify if the beacon is registered with the SOC’s asset inventory.
Scenario: Cobalt Strike Beacon Used for Internal Lateral Movement
Description: A Cobalt Strike beacon is being used for internal lateral movement within a segmented network.
Filter/Exclusion: Filter by source IP (e.g., internal network segments) and verify if the beacon is part of a known internal toolset or authorized pentest activity.