Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential advanced persistent threats. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate sophisticated attacks before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 156[.]225[.]22[.]84:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 121[.]199[.]27[.]49:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 8[.]134[.]207[.]30:7777 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 107[.]173[.]38[.]158:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 45[.]74[.]47[.]68:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 185[.]177[.]72[.]68:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 154[.]201[.]68[.]191:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 154[.]201[.]68[.]191:8080 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 62[.]60[.]226[.]105:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 83[.]142[.]209[.]194:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 121[.]43[.]243[.]13:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 121[.]43[.]243[.]13:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 172[.]94[.]9[.]250:443 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 154[.]201[.]68[.]191:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 103[.]149[.]93[.]107:80 | botnet_cc | 2026-05-21 | 100% |
| ip:port | 103[.]149[.]93[.]107:8080 | botnet_cc | 2026-05-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["45.74.47.68", "83.142.209.194", "121.43.243.13", "156.225.22.84", "103.149.93.107", "185.177.72.68", "107.173.38.158", "62.60.226.105", "8.134.207.30", "172.94.9.250", "121.199.27.49", "154.201.68.191"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.74.47.68", "83.142.209.194", "121.43.243.13", "156.225.22.84", "103.149.93.107", "185.177.72.68", "107.173.38.158", "62.60.226.105", "8.134.207.30", "172.94.9.250", "121.199.27.49", "154.201.68.191"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of CobaltStrike.exe in known red team directories (e.g., C:\RedTeam\) or use a filter like process.name != "CobaltStrike.exe" when the process is known to be part of authorized testing.
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled task may run a script that uses CobaltStrike.exe for log collection or monitoring purposes (e.g., using the Cobalt Strike beacon for internal monitoring).
Filter/Exclusion: Exclude processes running from known monitoring directories (e.g., C:\Monitoring\) or filter by process.directory != "C:\Monitoring\".
Scenario: Admin Task Involving Cobalt Strike Beacon for Internal Communication
Description: System administrators may use Cobalt Strike beacons for internal communication or to test network resilience.
Filter/Exclusion: Exclude processes that are part of known admin tasks (e.g., CobaltStrike.exe running from C:\AdminTools\) or filter by process.directory != "C:\AdminTools\".
Scenario: Cobalt Strike Used for Internal Tooling or Automation
Description: Some enterprises may use Cobalt Strike as part of internal automation or tooling, such as for testing endpoint security controls.
Filter/Exclusion: Exclude processes that are part of internal tooling (e.g., CobaltStrike.exe in C:\InternalTools\) or filter by process.directory != "C:\InternalTools\".
Scenario: Cobalt Strike Beacon Used for Internal Network Mapping
Description: Network administrators may use Cobalt Strike