Adversaries are using Cobalt Strike to establish command and control, leveraging known IOCs to exfiltrate data and maintain persistence. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 6 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]211[.]130[.]16:443 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 172[.]245[.]156[.]179:18443 | botnet_cc | 2026-05-05 | 75% |
| domain | webshareclouds.com | botnet_cc | 2026-05-05 | 75% |
| domain | perfectgo.top | botnet_cc | 2026-05-05 | 75% |
| ip:port | 108[.]165[.]100[.]97:80 | botnet_cc | 2026-05-05 | 100% |
| ip:port | 45[.]194[.]20[.]130:80 | botnet_cc | 2026-05-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["8.211.130.16", "172.245.156.179", "45.194.20.130", "108.165.100.97"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.211.130.16", "172.245.156.179", "45.194.20.130", "108.165.100.97"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["webshareclouds.com", "perfectgo.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check
Description: A legitimate scheduled job runs to verify the presence of a Cobalt Strike beacon for monitoring purposes.
Filter/Exclusion: Exclude processes where the command line contains --check-beacon or --verify-beacon.
Scenario: Admin Task to Generate Cobalt Strike Test Payload
Description: An admin uses Cobalt Strike to generate a test payload for internal security testing.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes --test or --simulate.
Scenario: Automated Log Collection Using Cobalt Strike Tools
Description: A security tool like Logstash or Splunk is configured to use Cobalt Strike for log collection in a controlled environment.
Filter/Exclusion: Exclude processes where the parent process is a known log collection tool (e.g., splunkd, logstash) or where the command line includes --log-collect.
Scenario: Cobalt Strike Used for Internal Red Team Exercise
Description: A red team exercise uses Cobalt Strike to simulate a breach in a controlled lab environment.
Filter/Exclusion: Exclude processes where the user is part of a red team group (e.g., RedTeam) and the command line includes --exercise or --lab.
Scenario: Cobalt Strike Beacon Used for Internal Monitoring
Description: A beacon is used to monitor system health or network traffic within the enterprise.
Filter/Exclusion: Exclude processes where the beacon is configured with a known internal C2 server (e.g., 10.0.0.1) and the command line includes --monitor or --health-check.