The detection identifies potential CobaltMirage FRP infrastructure activity through known malicious IOCs, indicating possible adversary persistence and command-and-control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise by advanced persistent threats leveraging FRP.
IOC Summary
Malware Family: CobaltMirage FRP Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 146[.]190[.]163[.]32:443 | botnet_cc | 2026-05-17 | 90% |
| ip:port | 31[.]57[.]184[.]82:443 | botnet_cc | 2026-05-17 | 95% |
| ip:port | 23[.]27[.]143[.]170:443 | botnet_cc | 2026-05-17 | 90% |
| ip:port | 45[.]92[.]1[.]165:443 | botnet_cc | 2026-05-17 | 95% |
| ip:port | 91[.]92[.]41[.]10:443 | botnet_cc | 2026-05-17 | 95% |
| ip:port | 217[.]30[.]169[.]67:443 | botnet_cc | 2026-05-17 | 90% |
| ip:port | 181[.]134[.]198[.]53:443 | botnet_cc | 2026-05-17 | 90% |
| ip:port | 112[.]125[.]19[.]107:443 | botnet_cc | 2026-05-17 | 95% |
| ip:port | 4[.]235[.]114[.]15:443 | botnet_cc | 2026-05-17 | 95% |
| ip:port | 83[.]142[.]209[.]228:443 | botnet_cc | 2026-05-17 | 95% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - CobaltMirage FRP
let malicious_ips = dynamic(["112.125.19.107", "91.92.41.10", "31.57.184.82", "217.30.169.67", "4.235.114.15", "23.27.143.170", "181.134.198.53", "146.190.163.32", "83.142.209.228", "45.92.1.165"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["112.125.19.107", "91.92.41.10", "31.57.184.82", "217.30.169.67", "4.235.114.15", "23.27.143.170", "181.134.198.53", "146.190.163.32", "83.142.209.228", "45.92.1.165"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing user credentials for a legitimate internal tool like Azure AD Connect.
Filter/Exclusion: Exclude PowerShell scripts that use Import-Csv with file paths in known internal directories (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: A DevOps engineer is using Ansible to deploy configuration files to a set of servers, and the playbook includes a task that copies a file named frp.conf to a server.
Filter/Exclusion: Exclude Ansible tasks that involve copying files to known deployment directories (e.g., /etc/ansible/ or /opt/), or filter by file names that match known legitimate configuration files.
Scenario: A database administrator is running a SQL Server Agent Job that executes a stored procedure to generate a report, and the job name contains the string “FRP” as part of a naming convention.
Filter/Exclusion: Exclude SQL Server Agent Jobs with names containing “FRP” if they are known to be part of a reporting or backup process, or filter by job owner or execution frequency.
Scenario: A security analyst is using Wireshark to capture network traffic for analysis, and the capture includes a file transfer that matches one of the IOCs due to the file name or content.
Filter/Exclusion: Exclude network traffic captured by Wireshark with source or destination IP addresses in the internal network range, or filter by file types that are known to be part of network analysis (e.g., .pcap, .csv).
Scenario: A system update process is deploying a Windows Update that includes a file named frp.exe as part of a legitimate software update, such as a patch for a