Adversaries are leveraging Cobalt Strike IOCs to establish command and control and exfiltrate data within the network. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and mitigate advanced persistent threat activity early.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 37 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 206[.]119[.]0[.]249:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]0[.]252:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]0[.]250:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]0[.]248:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]0[.]246:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 81[.]71[.]20[.]155:443 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 81[.]71[.]20[.]155:80 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 81[.]71[.]20[.]155:8080 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 137[.]184[.]102[.]191:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 103[.]147[.]228[.]13:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]231:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]238:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]241:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]244:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]248:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]4[.]242:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]4[.]247:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]229:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]235:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]4[.]244:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]226:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]5[.]228:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 154[.]213[.]180[.]50:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 206[.]119[.]0[.]251:443 | botnet_cc | 2026-05-17 | 80% |
| ip:port | 5[.]196[.]162[.]4:443 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["206.119.0.248", "206.119.0.250", "144.91.74.47", "103.147.228.13", "103.75.190.47", "31.57.187.91", "193.169.194.51", "206.119.0.246", "206.119.4.247", "154.213.180.50", "192.252.183.183", "206.119.5.235", "206.119.5.238", "206.119.5.231", "206.119.0.249", "144.172.112.67", "178.236.252.244", "81.71.20.155", "41.98.219.186", "206.119.5.244", "188.126.90.5", "137.184.102.191", "206.119.5.248", "5.196.162.4", "206.119.5.228", "206.119.4.242", "206.119.0.252", "206.119.5.241", "139.60.20.34", "154.126.61.41", "163.245.216.78", "206.119.0.251", "206.119.4.244", "206.119.5.229", "206.119.5.226"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["206.119.0.248", "206.119.0.250", "144.91.74.47", "103.147.228.13", "103.75.190.47", "31.57.187.91", "193.169.194.51", "206.119.0.246", "206.119.4.247", "154.213.180.50", "192.252.183.183", "206.119.5.235", "206.119.5.238", "206.119.5.231", "206.119.0.249", "144.172.112.67", "178.236.252.244", "81.71.20.155", "41.98.219.186", "206.119.5.244", "188.126.90.5", "137.184.102.191", "206.119.5.248", "5.196.162.4", "206.119.5.228", "206.119.4.242", "206.119.0.252", "206.119.5.241", "139.60.20.34", "154.126.61.41", "163.245.216.78", "206.119.0.251", "206.119.4.244", "206.119.5.229", "206.119.5.226"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the job name or description. Exclude processes initiated from known red team directories (e.g., C:\RedTeam\).
Scenario: Scheduled System Maintenance Tasks
Description: Scheduled tasks like schtasks.exe or Task Scheduler may execute scripts that resemble Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or Task Scheduler and filter by known system maintenance script paths (e.g., C:\Windows\System32\taskschd.msc).
Scenario: Admin Tools and PowerShell Scripts
Description: Administrators may use PowerShell or tools like PowerShell.exe to perform routine system management tasks that match Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes with powershell.exe that are launched from known admin tools or scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Log Management and SIEM Tools
Description: Log management tools like Splunk.exe or ELK Stack may generate or process logs that include Cobalt Strike-related strings.
Filter/Exclusion: Exclude processes associated with log management tools and filter by known log processing directories (e.g., C:\Program Files\Splunk\).
Scenario: Software Updates and Patching Tools
Description: Patching tools like Windows Update or WSUS may execute scripts or binaries that resemble Cobalt Strike IOCs during system updates.
Filter/Exclusion: Exclude processes initiated