The detection identifies potential Cobalt Strike malware activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss or network compromise occurs.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]139[.]170[.]200:443 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 168[.]222[.]97[.]93:443 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 168[.]222[.]97[.]93:80 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 161[.]248[.]87[.]10:443 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["43.139.170.200", "161.248.87.10", "168.222.97.93"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.139.170.200", "161.248.87.10", "168.222.97.93"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage for Red Team Exercises
Description: Security teams may use Cobalt Strike as part of red teaming or penetration testing to simulate advanced attacks.
Filter/Exclusion: Check for presence of redteam or pentest in the user’s group or session context. Exclude IPs associated with internal red team infrastructure.
Scenario: Scheduled Job Running Cobalt Strike for Automated Testing
Description: A scheduled job may execute Cobalt Strike to test network resilience or security controls in a controlled environment.
Filter/Exclusion: Filter by process owner (e.g., security-team or test-user) and check for presence of a test or automation tag in the job name.
Scenario: Admin Task Involving Cobalt Strike for Incident Response
Description: Administrators may use Cobalt Strike to analyze or respond to a real incident, such as analyzing a suspected compromise.
Filter/Exclusion: Include process parent process or command line arguments containing incident-response or analysis. Exclude processes initiated from a known SOC or IR workstation.
Scenario: Cobalt Strike Used for Internal Tooling or Automation
Description: Some organizations may use Cobalt Strike as part of internal tooling or automation frameworks for network discovery or asset management.
Filter/Exclusion: Check for presence of internal tooling names (e.g., internal-tool, asset-scan) in the command line or process name. Exclude IPs from internal tooling servers.
Scenario: Cobalt Strike Used for Internal C2 Communication During a Legitimate Penetration Test
Description: During a penetration test, Cobalt Strike may be used to establish C2 communication with a test environment.
Filter/Exclusion: Filter by presence of penetration-test or PT in