Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential long-term persistence and active compromise. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 10 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 119[.]45[.]166[.]6:9443 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 154[.]36[.]188[.]239:80 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 204[.]194[.]49[.]142:8080 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 204[.]194[.]49[.]142:443 | botnet_cc | 2026-06-05 | 100% |
| domain | dev.useimage.sbs | botnet_cc | 2026-06-05 | 100% |
| ip:port | 107[.]150[.]105[.]91:80 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 119[.]45[.]166[.]6:8080 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 119[.]45[.]166[.]6:80 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 106[.]12[.]20[.]75:8080 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 106[.]12[.]20[.]75:80 | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["106.12.20.75", "119.45.166.6", "107.150.105.91", "154.36.188.239", "204.194.49.142"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["106.12.20.75", "119.45.166.6", "107.150.105.91", "154.36.188.239", "204.194.49.142"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["dev.useimage.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task to Generate Cobalt Strike Reports
Description: An administrator uses Cobalt Strike to generate reports for internal security assessments or training.
Filter/Exclusion: Exclude events where the user is a domain admin and the process is initiated from a known security tooling directory (e.g., C:\SecurityTools\CobaltStrike).
Scenario: PowerShell Script Using Cobalt Strike Modules
Description: A PowerShell script is used to invoke Cobalt Strike modules for internal testing or automation.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes -File followed by a known internal script path (e.g., C:\Scripts\CobaltStrikeTest.ps1).
Scenario: Cobalt Strike Beacon Used for Red Team Exercise
Description: During a red team engagement, Cobalt Strike is used to simulate a compromised environment.
Filter/Exclusion: Exclude events where the source IP is from a known red team IP range or the user is part of a red team group (e.g., RedTeamUsers).
Scenario: Cobalt Strike Beacon for Internal Monitoring
Description: A beacon is used to monitor internal network activity as part of a security monitoring setup.
Filter/Exclusion: Exclude events where the beacon is configured with a known internal C2 server (e.g., 10.10.10.10) and the user is a security operations team member.