Adversaries may be using Cobalt Strike to establish command and control, leveraging known IOCs to exfiltrate data and maintain persistent access. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential Cobalt Strike-based attacks before they cause significant damage.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 11 IOC Types: ip:port, url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]94[.]168[.]149:9999 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 47[.]83[.]254[.]175:1102 | botnet_cc | 2026-05-08 | 75% |
| domain | 1364170351-kld29tgkc1.ap-guangzhou.tencentscf.com | botnet_cc | 2026-05-08 | 75% |
| url | hxxp://129[.]204[.]224[.]81:14226/visit.js | botnet_cc | 2026-05-08 | 100% |
| url | hxxp://129[.]204[.]224[.]81:14226/Peo9 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 129[.]204[.]224[.]81:14226 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 91[.]211[.]251[.]245:443 | botnet_cc | 2026-05-08 | 50% |
| ip:port | 45[.]76[.]189[.]162:5555 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 45[.]202[.]249[.]88:443 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 43[.]133[.]171[.]24:80 | botnet_cc | 2026-05-08 | 100% |
| ip:port | 45[.]202[.]249[.]88:80 | botnet_cc | 2026-05-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["47.94.168.149", "47.83.254.175", "91.211.251.245", "129.204.224.81", "43.133.171.24", "45.76.189.162", "45.202.249.88"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.94.168.149", "47.83.254.175", "91.211.251.245", "129.204.224.81", "43.133.171.24", "45.76.189.162", "45.202.249.88"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["1364170351-kld29tgkc1.ap-guangzhou.tencentscf.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Cobalt Strike
let malicious_urls = dynamic(["http://129.204.224.81:14226/visit.js", "http://129.204.224.81:14226/Peo9"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike usage for red team exercises
Filter/Exclusion: Check for presence of cobaltstrike.exe in known red team directories (e.g., C:\RedTeam\) and exclude processes launched from such paths.
Suggested Filter: process.parent_process_name != "cmd.exe" AND process.file_path LIKE "%RedTeam%"
Scenario: Scheduled job running Cobalt Strike for penetration testing
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known test names (e.g., PenTest_Schedule).
Suggested Filter: process.parent_process_name != "schtasks.exe" OR process.command_line NOT LIKE "%PenTest_Schedule%"
Scenario: System administration task involving Cobalt Strike for internal tooling
Filter/Exclusion: Exclude processes associated with internal tools or admin tasks (e.g., InternalTool.exe) that may use Cobalt Strike as part of their workflow.
Suggested Filter: process.parent_process_name != "InternalTool.exe" OR process.file_path NOT LIKE "%InternalTool%"
Scenario: Cobalt Strike used for internal security training or simulations
Filter/Exclusion: Exclude processes that run from training directories (e.g., C:\Training\) or are initiated by training management tools.
Suggested Filter: process.file_path NOT LIKE "%Training%" OR process.parent_process_name != "TrainingManager.exe"
Scenario: Cobalt Strike used in a multi-stage deployment with legitimate tools
Filter/Exclusion: Exclude processes that are part of a multi-stage deployment involving legitimate tools like PowerShell.exe or mshta.exe used for legitimate post-exploitation tasks.
Suggested Filter: process.parent_process_name != "PowerShell.exe" AND process.parent_process_name != "mshta.exe"