The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 150[.]158[.]109[.]61:9090 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 112[.]213[.]106[.]53:18443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 110[.]41[.]76[.]236:8888 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 87[.]121[.]89[.]170:80 | botnet_cc | 2026-05-10 | 100% |
| ip:port | 38[.]147[.]170[.]246:443 | botnet_cc | 2026-05-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["110.41.76.236", "38.147.170.246", "112.213.106.53", "150.158.109.61", "87.121.89.170"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["110.41.76.236", "38.147.170.246", "112.213.106.53", "150.158.109.61", "87.121.89.170"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of redteam or authorized in the job name or description, or filter by user account (e.g., redteam_user).
Scenario: Scheduled Job for System Maintenance
Description: A scheduled task runs a script that uses ps or tasklist to monitor system processes, which may be flagged as Cobalt Strike IOCs.
Filter/Exclusion: Exclude processes associated with task scheduler or schtasks.exe, or filter by command-line arguments containing --monitor or --system.
Scenario: Admin Task for Log Collection
Description: An admin task uses logman or wevtutil to collect logs, which may resemble Cobalt Strike command-line patterns.
Filter/Exclusion: Exclude processes initiated by Administrators group or filter by command-line arguments containing --log or --collect.
Scenario: PowerShell Script for Patch Management
Description: A PowerShell script runs Get-Service or Stop-Service as part of patch management, which may be mistaken for Cobalt Strike activity.
Filter/Exclusion: Filter by process name powershell.exe with command-line arguments containing patch, update, or maintenance.
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or Microsoft Network Monitor may generate traffic patterns similar to Cobalt Strike C2 communications.
Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., wireshark.exe, nmap.exe) or filter by source/destination IP addresses associated with internal