The detection identifies potential Cobalt Strike C2 activity through suspicious network traffic and file artifacts associated with its infrastructure, indicating possible adversary command-and-control operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Cobalt Strike for persistent access and data exfiltration.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 117[.]50[.]184[.]221:10080 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 112[.]124[.]71[.]123:55555 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["117.50.184.221", "112.124.71.123"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["117.50.184.221", "112.124.71.123"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a scheduled disk cleanup or log rotation, uses a tool like cleanmgr.exe or logman.exe, which may have network activity resembling Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with cleanmgr.exe, logman.exe, or tasks scheduled via schtasks.exe with known maintenance names.
Scenario: Admin Remote Management via PowerShell
Description: An administrator uses PowerShell to remotely manage a server, which may involve outbound connections to a management IP or domain that matches Cobalt Strike C2 patterns.
Filter/Exclusion: Exclude PowerShell scripts executed by administrators with RunAs or via Invoke-Command with known administrative tools like PsExec or PowerShell Remoting.
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or Microsoft Network Monitor is actively capturing and analyzing network traffic, which may include traffic that matches Cobalt Strike IOCs.
Filter/Exclusion: Exclude traffic originating from or destined to the IP address or domain used by the network monitoring tool (e.g., wireshark.com or internal monitoring servers).
Scenario: Legitimate C2 Communication for DevOps Tools
Description: A DevOps tool like Jenkins or GitLab CI/CD may communicate with external servers for artifact retrieval or deployment, which could resemble Cobalt Strike C2 behavior.
Filter/Exclusion: Exclude traffic from known DevOps tools (e.g., jenkins.war, gitlab-runner, or artifactory) or traffic to whitelisted C2 domains used by CI/CD pipelines.
Scenario: Antivirus or EDR Signature Update
Description: An endpoint protection solution like CrowdStrike or Microsoft Defender updates