The detection identifies potential Cobalt Strike infrastructure by monitoring known IOCs associated with the adversary’s command and control activities. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat (APT) activity leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 36 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]144[.]11[.]180:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 154[.]12[.]86[.]154:8001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 154[.]12[.]86[.]154:443 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 154[.]12[.]86[.]154:80 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 154[.]12[.]86[.]154:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 43[.]144[.]11[.]180:443 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 120[.]48[.]18[.]226:8081 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 45[.]152[.]65[.]240:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 111[.]170[.]148[.]169:8443 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 173[.]230[.]134[.]215:8090 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 175[.]24[.]201[.]23:8088 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 47[.]105[.]76[.]33:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 108[.]61[.]223[.]230:80 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 111[.]230[.]36[.]144:80 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 130[.]94[.]14[.]186:443 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 130[.]94[.]14[.]186:80 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 130[.]94[.]14[.]186:8080 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 43[.]143[.]145[.]187:443 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 47[.]82[.]234[.]12:80 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 172[.]174[.]90[.]104:443 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 160[.]22[.]28[.]230:443 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 160[.]22[.]28[.]230:80 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 104[.]236[.]69[.]171:443 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 47[.]116[.]67[.]169:2087 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 119[.]91[.]26[.]245:6666 | botnet_cc | 2026-05-19 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["104.236.69.171", "120.48.18.226", "27.124.19.53", "45.152.65.240", "172.86.76.154", "160.22.28.230", "108.61.223.230", "47.82.234.12", "43.142.51.69", "47.116.67.169", "111.230.36.144", "47.105.76.33", "173.230.134.215", "154.12.86.154", "138.201.86.48", "43.144.11.180", "130.94.14.186", "175.24.201.23", "172.174.90.104", "43.143.145.187", "43.144.19.220", "23.236.64.238", "1.117.61.9", "119.91.26.245", "111.170.148.169"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.236.69.171", "120.48.18.226", "27.124.19.53", "45.152.65.240", "172.86.76.154", "160.22.28.230", "108.61.223.230", "47.82.234.12", "43.142.51.69", "47.116.67.169", "111.230.36.144", "47.105.76.33", "173.230.134.215", "154.12.86.154", "138.201.86.48", "43.144.11.180", "130.94.14.186", "175.24.201.23", "172.174.90.104", "43.143.145.187", "43.144.19.220", "23.236.64.238", "1.117.61.9", "119.91.26.245", "111.170.148.169"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: A red team member is executing Cobalt Strike as part of a sanctioned security assessment.
Filter/Exclusion: Check for presence of a known red team IP or domain in the environment, or filter by user account (e.g., user == "redteam_user").
Scenario: Scheduled Job Running Cobalt Strike for Code Signing
Description: A scheduled job is running Cobalt Strike to sign payloads as part of a development process.
Filter/Exclusion: Filter by process name or command line arguments containing --sign or --code-sign, or check for presence of a known internal signing certificate.
Scenario: System Administrator Performing a Malware Analysis Task
Description: An admin is using Cobalt Strike to analyze malware behavior in a sandboxed environment.
Filter/Exclusion: Filter by user account (e.g., user == "admin_malware_analysis"), or check for presence of a sandboxing tool like Cuckoo or Sandboxie in the process tree.
Scenario: Cobalt Strike Used for Internal Tooling or Automation
Description: An internal tool or automation script is using Cobalt Strike as part of a CI/CD pipeline or infrastructure management.
Filter/Exclusion: Filter by process parent or command line arguments containing --ci, --pipeline, or --automation, or check for presence of a known internal tooling process.
Scenario: Admin Task Involving Cobalt Strike for Incident Response
Description: An admin is using Cobalt Strike to simulate an attack for incident response training.
Filter/Exclusion: Filter by user account (e.g., user == "ir_training_admin"), or check for presence of a known training environment or lab IP range.