The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating possible adversary persistence and lateral movement within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 23 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 1[.]92[.]101[.]103:8088 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 1[.]92[.]101[.]103:443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 1[.]92[.]101[.]103:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 1[.]92[.]101[.]103:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 223[.]166[.]31[.]237:2082 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 106[.]15[.]62[.]81:8088 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 103[.]149[.]93[.]107:443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 121[.]43[.]243[.]13:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 45[.]152[.]65[.]240:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 47[.]121[.]117[.]88:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 172[.]86[.]72[.]240:443 | botnet_cc | 2026-05-20 | 50% |
| ip:port | 114[.]134[.]187[.]38:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 114[.]134[.]187[.]38:443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 114[.]134[.]187[.]38:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 183[.]63[.]173[.]29:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 39[.]108[.]114[.]1:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 39[.]108[.]114[.]1:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 120[.]55[.]170[.]103:4443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 120[.]55[.]170[.]103:443 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 120[.]55[.]170[.]103:80 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 120[.]55[.]170[.]103:8080 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 139[.]224[.]130[.]183:8001 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 43[.]142[.]137[.]169:18443 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["1.92.101.103", "223.166.31.237", "39.108.114.1", "183.63.173.29", "103.149.93.107", "45.152.65.240", "172.86.72.240", "121.43.243.13", "120.55.170.103", "139.224.130.183", "114.134.187.38", "43.142.137.169", "106.15.62.81", "47.121.117.88"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["1.92.101.103", "223.166.31.237", "39.108.114.1", "183.63.173.29", "103.149.93.107", "45.152.65.240", "172.86.72.240", "121.43.243.13", "120.55.170.103", "139.224.130.183", "114.134.187.38", "43.142.137.169", "106.15.62.81", "47.121.117.88"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the process name or command line arguments.
Example Filter: process.name != "cobaltstrike.exe" OR process.command_line contains "redteam"
Scenario: Scheduled Job for System Maintenance
Description: A scheduled task may run a script that uses certutil or powershell to update certificates or system files.
Filter/Exclusion: Exclude processes associated with Task Scheduler or certutil used for certificate management.
Example Filter: process.name != "certutil.exe" OR process.parent_process contains "schtasks.exe"
Scenario: Admin Task Using PowerShell for Log Collection
Description: System administrators may use PowerShell to collect logs or perform system diagnostics.
Filter/Exclusion: Exclude PowerShell scripts that are known to be used for log collection or system monitoring.
Example Filter: process.name != "powershell.exe" OR process.command_line contains "Get-EventLog" OR process.command_line contains "Get-Event"
Scenario: Legitimate Use of curl or wget for Software Updates
Description: IT teams may use curl or wget to download software updates or configuration files from internal servers.
Filter/Exclusion: Exclude traffic to internal IP ranges or known internal update servers.
Example Filter: destination_ip not in internal_networks OR source_ip not in internal_networks
Scenario: Use of msiexec for Software Deployment
Description: IT administrators may use msiexec to deploy software packages across the network.