Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential compromise of critical systems. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 14 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 165[.]154[.]244[.]77:2562 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 106[.]75[.]230[.]47:80 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]233[.]169:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]233[.]184:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]233[.]180:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]226[.]39:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]56[.]48:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 121[.]41[.]177[.]231:80 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]226[.]61:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]190[.]110:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]216[.]49:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]233[.]185:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 156[.]234[.]226[.]46:37611 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 78[.]155[.]221[.]67:8078 | botnet_cc | 2026-03-18 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["106.75.230.47", "156.234.233.184", "156.234.233.180", "156.234.226.61", "156.234.233.169", "156.234.226.46", "156.234.190.110", "78.155.221.67", "156.234.216.49", "121.41.177.231", "156.234.56.48", "156.234.226.39", "156.234.233.185", "165.154.244.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["106.75.230.47", "156.234.233.184", "156.234.233.180", "156.234.226.61", "156.234.233.169", "156.234.226.46", "156.234.190.110", "78.155.221.67", "156.234.216.49", "121.41.177.231", "156.234.56.48", "156.234.226.39", "156.234.233.185", "165.154.244.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task to Generate Cobalt Strike Reports
Description: An administrator uses Cobalt Strike to generate internal reports or test network connectivity.
Filter/Exclusion: Exclude events where the user is a domain admin and the process is associated with cobaltstrike.exe with a command line containing --report or --test.
Scenario: PowerShell Script Using Cobalt Strike Beacon for Internal Monitoring
Description: A PowerShell script is used to run a Cobalt Strike beacon as part of internal monitoring or logging.
Filter/Exclusion: Exclude events where the process is initiated via PowerShell and the command line includes Invoke-Command or Start-Process with a known internal script.
Scenario: Legacy System Maintenance Using Cobalt Strike Tools
Description: An older system uses Cobalt Strike tools for maintenance tasks such as log collection or system diagnostics.
Filter/Exclusion: Exclude events where the process is initiated from a known legacy system maintenance script or directory (e.g., C:\LegacyTools\).
Scenario: Cobalt Strike Used for Red Team Training
Description: Security teams use Cobalt Strike during red team exercises to simulate attacks and test defenses.
Filter/Exclusion: Exclude events where the process is initiated from a known red team training directory (e.g., C:\RedTeam\) or where the user is a security team member with elevated privileges.