The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 121[.]196[.]170[.]236:443 | botnet_cc | 2026-05-07 | 100% |
| ip:port | 8[.]136[.]182[.]237:80 | botnet_cc | 2026-05-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["8.136.182.237", "121.196.170.236"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.136.182.237", "121.196.170.236"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to verify connectivity or perform a health check.
Filter/Exclusion: Exclude events where the process name is beacon.exe and the command line includes --checkin or --verify.
Scenario: Admin Task Using Cobalt Strike for Red Team Exercises
Description: Security teams use Cobalt Strike as part of red team training or penetration testing.
Filter/Exclusion: Exclude processes initiated by users with the RedTeam or SecurityTesting group, or where the command line includes --training or --exercise.
Scenario: System Maintenance Task Using Cobalt Strike
Description: An admin uses Cobalt Strike to perform system diagnostics or network testing.
Filter/Exclusion: Exclude processes where the user is a domain admin and the command line includes --diagnostic or --network-test.
Scenario: Cobalt Strike Used for Internal Threat Hunting
Description: Security analysts use Cobalt Strike to simulate attacks and test defenses.
Filter/Exclusion: Exclude events where the process is initiated from a known threat hunting tool (e.g., MitreAttackFramework.exe) or where the command line includes --simulate or --test.
Scenario: Cobalt Strike Beacon Used for Log Collection
Description: A legitimate log collection tool uses a Cobalt Strike Beacon to gather system logs for analysis.
Filter/Exclusion: Exclude events where the Beacon is configured to collect logs and the command line includes --log-collect or --syslog.