The detection identifies potential Cobalt Strike infrastructure by monitoring known IOCs associated with the adversary’s command and control activities. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat (APT) operations leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]94[.]233[.]234:8443 | botnet_cc | 2026-05-09 | 50% |
| ip:port | 44[.]201[.]9[.]76:80 | botnet_cc | 2026-05-09 | 50% |
| ip:port | 89[.]124[.]120[.]221:80 | botnet_cc | 2026-05-09 | 50% |
| ip:port | 47[.]95[.]211[.]75:80 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 118[.]145[.]185[.]128:81 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 139[.]226[.]191[.]247:2082 | botnet_cc | 2026-05-09 | 100% |
| ip:port | 8[.]141[.]116[.]149:8080 | botnet_cc | 2026-05-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["89.124.120.221", "154.94.233.234", "118.145.185.128", "44.201.9.76", "8.141.116.149", "47.95.211.75", "139.226.191.247"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.124.120.221", "154.94.233.234", "118.145.185.128", "44.201.9.76", "8.141.116.149", "47.95.211.75", "139.226.191.247"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to check in with the C2 server as part of a red team exercise or penetration test.
Filter/Exclusion: Exclude processes where the parent process is a known red team tool (e.g., msfvenom, powerview, or invoke-mimikatz) or where the process is initiated by a scheduled task with a known red team identifier.
Scenario: System Administrator Performing a File Integrity Check
Description: An admin uses a tool like Sysinternals Process Explorer or Process Monitor to inspect Cobalt Strike binaries during a routine security audit.
Filter/Exclusion: Exclude processes initiated by user accounts with administrative privileges and where the command line includes audit or inspection keywords (e.g., -audit, -check, -inspect).
Scenario: Cobalt Strike Beacon Used for Internal Red Team Training
Description: A red team member uses a Cobalt Strike Beacon to simulate a compromise during a training exercise.
Filter/Exclusion: Exclude processes where the parent process is a known red team tool (e.g., PowerShell, Mimikatz, or Cobalt Strike itself) and where the process is associated with a red team lab or training environment.
Scenario: Cobalt Strike Binary Used for Debugging or Analysis
Description: A security analyst uses a Cobalt Strike binary for malware analysis or reverse engineering in a sandboxed environment.
Filter/Exclusion: Exclude processes running in a sandboxed or virtualized environment (e.g., using Cuckoo Sandbox, Joe Sandbox, or Wazuh sandbox) or where the process is initiated by a known analysis tool (e.g., IDA Pro, Ghidra, or Volatility