The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 3 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://110[.]40[.]181[.]138:14433/IIsX | botnet_cc | 2026-05-06 | 75% |
| ip:port | 43[.]128[.]27[.]124:443 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 3[.]88[.]6[.]51:443 | botnet_cc | 2026-05-06 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["43.128.27.124", "3.88.6.51"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.128.27.124", "3.88.6.51"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Cobalt Strike
let malicious_urls = dynamic(["http://110.40.181.138:14433/IIsX"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Cobalt Strike Beacon Check-in
Description: A legitimate scheduled job runs a Cobalt Strike Beacon to verify connectivity or check-in with the C2 server as part of a red team exercise or pentesting.
Filter/Exclusion: Exclude processes initiated by known red team tools (e.g., cobaltstrike.exe, beacon.exe) or those running under a specific user account used for red team activities.
Scenario: System Administrator Using Cobalt Strike for Internal Red Teaming
Description: An admin uses Cobalt Strike for internal security testing, which may result in the detection of Cobalt Strike IOCs during normal operations.
Filter/Exclusion: Exclude processes running under the admin’s user account or those associated with internal security testing tools (e.g., msfconsole, metasploit).
Scenario: PowerShell Script Using Cobalt Strike Beacon for Debugging
Description: A PowerShell script is used to debug or test a Cobalt Strike Beacon, which may trigger the detection rule due to the presence of Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes that include the string debug or test in their command line arguments, or those initiated via a known internal debugging tool.
Scenario: Scheduled Task for Malware Analysis with Cobalt Strike
Description: A scheduled task runs Cobalt Strike as part of a malware analysis lab to simulate attack scenarios, leading to the detection of IOCs.
Filter/Exclusion: Exclude processes that run from a known malware analysis directory (e.g., C:\MalwareLab\) or those associated with analysis tools like Cuckoo or CAPE.
Scenario: Admin Task to Generate Cobalt Strike Beacon for Internal Use
Description: An admin generates a Cobalt Strike Beacon for internal use, such as for