Adversaries are using Cobalt Strike IOCs to establish command and control and exfiltrate data, indicating potential long-term persistence and lateral movement within the network. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threat activity before it leads to data breaches or system compromise.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 43 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 62[.]234[.]22[.]228:51234 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 47[.]236[.]91[.]172:8000 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 155[.]138[.]147[.]166:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 185[.]193[.]153[.]57:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 138[.]201[.]90[.]50:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 155[.]138[.]147[.]166:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 155[.]138[.]147[.]166:80 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 185[.]193[.]17[.]158:443 | botnet_cc | 2026-05-18 | 85% |
| ip:port | 185[.]89[.]79[.]154:443 | botnet_cc | 2026-05-18 | 85% |
| ip:port | 107[.]173[.]186[.]7:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 107[.]173[.]186[.]7:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 194[.]58[.]92[.]122:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 107[.]173[.]186[.]7:80 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 124[.]220[.]36[.]247:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 124[.]220[.]36[.]247:80 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 124[.]220[.]36[.]247:443 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 178[.]154[.]254[.]203:443 | botnet_cc | 2026-05-18 | 85% |
| ip:port | 185[.]89[.]78[.]223:443 | botnet_cc | 2026-05-18 | 95% |
| ip:port | 124[.]220[.]6[.]158:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 123[.]57[.]208[.]37:80 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 123[.]57[.]208[.]37:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 113[.]31[.]115[.]231:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 81[.]68[.]216[.]220:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 113[.]31[.]115[.]231:80 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 81[.]68[.]216[.]220:443 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["124.220.6.158", "185.193.153.57", "172.216.116.64", "192.200.220.100", "130.94.14.186", "175.178.36.137", "47.98.107.233", "107.173.186.7", "185.89.79.154", "172.216.54.73", "103.146.30.121", "106.75.252.66", "194.58.92.122", "182.92.115.48", "185.234.157.185", "172.86.76.154", "138.201.90.50", "203.195.157.138", "155.138.147.166", "178.154.254.203", "168.222.97.93", "47.236.91.172", "123.57.208.37", "172.252.232.23", "81.172.90.197", "185.89.78.223", "124.220.36.247", "185.193.17.158", "62.234.22.228", "81.68.216.220", "113.31.115.231"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.220.6.158", "185.193.153.57", "172.216.116.64", "192.200.220.100", "130.94.14.186", "175.178.36.137", "47.98.107.233", "107.173.186.7", "185.89.79.154", "172.216.54.73", "103.146.30.121", "106.75.252.66", "194.58.92.122", "182.92.115.48", "185.234.157.185", "172.86.76.154", "138.201.90.50", "203.195.157.138", "155.138.147.166", "178.154.254.203", "168.222.97.93", "47.236.91.172", "123.57.208.37", "172.252.232.23", "81.172.90.197", "185.89.78.223", "124.220.36.247", "185.193.17.158", "62.234.22.228", "81.68.216.220", "113.31.115.231"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike usage for red team exercises
Filter/Exclusion: Check for presence of cobaltstrike.exe in known red team directories (e.g., C:\RedTeam\) and exclude processes launched from these paths.
Scenario: Scheduled job for system maintenance or patching
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known maintenance names (e.g., PatchManager.exe, SystemUpdateJob.exe) and verify if they match known legitimate scheduled task IDs.
Scenario: Admin task for log collection or monitoring
Filter/Exclusion: Exclude processes associated with log management tools like SplunkForwarder.exe or LogParser.exe running under admin privileges for legitimate monitoring purposes.
Scenario: Use of Cobalt Strike for internal security testing
Filter/Exclusion: Exclude processes launched from internal testing environments (e.g., C:\SecurityTesting\) and verify if the user is part of a known internal security team or testing group.
Scenario: Malicious file dropped by a legitimate tool during incident response
Filter/Exclusion: Exclude files that are temporarily dropped by tools like ProcessMonitor.exe or Procmon.exe during forensic analysis, and verify file hashes against known benign artifacts.