The detection identifies potential Cobalt Strike infrastructure usage through known IOCs, indicating possible adversary command and control activity. SOC teams should proactively hunt for this behavior to uncover advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 30 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 180[.]131[.]145[.]97:9995 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 23[.]106[.]135[.]33:443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 23[.]106[.]135[.]33:80 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 154[.]201[.]68[.]191:14125 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 118[.]31[.]114[.]149:4430 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 106[.]14[.]30[.]169:80 | botnet_cc | 2026-05-22 | 75% |
| domain | xulnai.com | botnet_cc | 2026-05-22 | 75% |
| domain | fq3gm5xphax8c.cfc-execute.bj.baidubce.com | botnet_cc | 2026-05-22 | 75% |
| domain | a3tf75e7k596x.cfc-execute.bj.baidubce.com | botnet_cc | 2026-05-22 | 75% |
| ip:port | 59[.]110[.]81[.]93:80 | botnet_cc | 2026-05-22 | 50% |
| ip:port | 129[.]204[.]14[.]131:44444 | botnet_cc | 2026-05-22 | 50% |
| ip:port | 172[.]86[.]72[.]240:80 | botnet_cc | 2026-05-22 | 50% |
| ip:port | 18[.]133[.]255[.]252:80 | botnet_cc | 2026-05-22 | 50% |
| ip:port | 5[.]101[.]84[.]202:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 180[.]178[.]160[.]215:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 107[.]173[.]38[.]158:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 107[.]173[.]38[.]158:8080 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 43[.]173[.]248[.]150:443 | botnet_cc | 2026-05-22 | 97% |
| ip:port | 180[.]178[.]160[.]153:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 170[.]106[.]199[.]68:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 175[.]24[.]175[.]158:9000 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 193[.]221[.]200[.]161:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 129[.]28[.]26[.]51:80 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 47[.]236[.]110[.]1:80 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 202[.]60[.]229[.]22:443 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["180.131.145.97", "206.188.197.241", "193.221.200.161", "5.101.84.202", "118.31.114.149", "180.178.160.215", "172.86.72.240", "107.173.38.158", "175.24.175.158", "47.236.110.1", "193.142.146.30", "129.28.26.51", "59.110.81.93", "43.173.248.150", "154.201.68.191", "202.60.229.22", "129.204.14.131", "106.14.30.169", "23.236.64.231", "49.232.4.144", "23.106.135.33", "180.178.160.153", "18.133.255.252", "170.106.199.68"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["180.131.145.97", "206.188.197.241", "193.221.200.161", "5.101.84.202", "118.31.114.149", "180.178.160.215", "172.86.72.240", "107.173.38.158", "175.24.175.158", "47.236.110.1", "193.142.146.30", "129.28.26.51", "59.110.81.93", "43.173.248.150", "154.201.68.191", "202.60.229.22", "129.204.14.131", "106.14.30.169", "23.236.64.231", "49.232.4.144", "23.106.135.33", "180.178.160.153", "18.133.255.252", "170.106.199.68"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["xulnai.com", "fq3gm5xphax8c.cfc-execute.bj.baidubce.com", "a3tf75e7k596x.cfc-execute.bj.baidubce.com", "linuxkerneldbs.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude processes with CommandLine containing beacon or checkin and originating from a known internal monitoring tool (e.g., Cobalt Strike Beacon).
Scenario: Admin Task Using Cobalt Strike for Internal Red Team Exercise
Description: A security team member uses Cobalt Strike as part of a red team exercise to simulate an attack.
Filter/Exclusion: Exclude processes with User matching the red team or security team domain accounts, and filter by ProcessName like cobaltstrike.exe.
Scenario: PowerShell Script Running Cobalt Strike Beacon for Debugging
Description: A script runs a Cobalt Strike beacon in a controlled environment for debugging or testing purposes.
Filter/Exclusion: Exclude processes where CommandLine includes -debug or -test, and filter by User matching the development team.
Scenario: System Job to Clean Up Temporary Files Using Cobalt Strike
Description: A scheduled task uses Cobalt Strike to clean up temporary files or logs, which is not typical but may occur in some environments.
Filter/Exclusion: Exclude processes with CommandLine containing cleanup or delete, and filter by ProcessName like cobaltstrike.exe with a known cleanup script.
Scenario: Cobalt Strike Used for Internal Code Signing or Signing Certificates
Description: A developer uses Cobalt Strike to sign code or certificates as part of a secure development process.
Filter/Exclusion: Exclude processes with CommandLine containing sign or certificate, and filter by User matching the development team or DevOps group.