The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 142[.]171[.]172[.]100:17443 | botnet_cc | 2026-05-10 | 75% |
| domain | api.apifox.top | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["142.171.172.100"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["142.171.172.100"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["api.apifox.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team or security team is using Cobalt Strike for authorized penetration testing.
Filter/Exclusion: Check for presence of CobaltStrike.exe in known red team directories (e.g., C:\RedTeam\Tools\) or use a process name filter like process.name = "CobaltStrike.exe" and file.path contains "RedTeam".
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled task is running a script to collect logs or monitor system activity, which may include commands or files similar to Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with log collection tools (e.g., logparser.exe, splunkforwarder.exe) or use a command line filter like process.name = "schtasks.exe" or file.name = "logparser.exe".
Scenario: System Administration Task Involving PowerShell Scripts
Description: An admin is running a PowerShell script for system maintenance or configuration management, which may include commands or file names that match Cobalt Strike IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by admin accounts (e.g., user.name = "Administrator") or use a command line filter like process.name = "powershell.exe" and user.name = "Administrator".
Scenario: Antivirus or EDR Tool Generating False Positives
Description: A security tool is scanning files and generating alerts for known malicious patterns, which may include Cobalt Strike-related IOCs.
Filter/Exclusion: Exclude files flagged by known security tools (e.g., file.name contains "Malwarebytes" or "Windows Defender") or use a file hash filter to exclude known benign hashes.
**Scenario: Development Environment with Cob