The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and lateral movement within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 62[.]234[.]144[.]140:80 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 124[.]223[.]70[.]155:80 | botnet_cc | 2026-04-23 | 100% |
| ip:port | 211[.]154[.]20[.]173:4443 | botnet_cc | 2026-04-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["62.234.144.140", "211.154.20.173", "124.223.70.155"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["62.234.144.140", "211.154.20.173", "124.223.70.155"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes with command_line containing beacon and --checkin or --healthcheck.
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: A security team member uses Cobalt Strike as part of a red team exercise to simulate an attack.
Filter/Exclusion: Exclude processes with user field matching internal security team members or command_line containing --redteam or --exercise.
Scenario: System Maintenance Task Using Cobalt Strike for Log Collection
Description: A maintenance script uses Cobalt Strike to collect logs from remote systems for troubleshooting.
Filter/Exclusion: Exclude processes where the destination is an internal log server or command_line includes --logcollect or --syslog.
Scenario: Cobalt Strike Used for Internal Code Signing
Description: A developer uses Cobalt Strike to sign internal code or scripts for deployment.
Filter/Exclusion: Exclude processes where the process_owner is a known developer or command_line includes --sign or --code-sign.
Scenario: Cobalt Strike Beacon Used for Network Discovery in a Multi-Tenant Environment
Description: A legitimate network discovery tool uses Cobalt Strike beacon to map internal network segments.
Filter/Exclusion: Exclude processes where the destination is within the internal network range and command_line includes --networkmap or --discover.