← Back to SOC feed Coverage →

ThreatFox: Cobalt Strike IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
cobalt-strikeiocthreatfoxwin-cobalt_strike
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 14 IOCs associated with Cobalt Strike

IOC Summary

Malware Family: Cobalt Strike Total IOCs: 14 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port165[.]154[.]244[.]77:2562botnet_cc2026-03-19100%
ip:port106[.]75[.]230[.]47:80botnet_cc2026-03-18100%
ip:port156[.]234[.]233[.]169:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]233[.]184:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]233[.]180:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]226[.]39:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]56[.]48:37611botnet_cc2026-03-18100%
ip:port121[.]41[.]177[.]231:80botnet_cc2026-03-18100%
ip:port156[.]234[.]226[.]61:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]190[.]110:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]216[.]49:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]233[.]185:37611botnet_cc2026-03-18100%
ip:port156[.]234[.]226[.]46:37611botnet_cc2026-03-18100%
ip:port78[.]155[.]221[.]67:8078botnet_cc2026-03-1850%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["106.75.230.47", "156.234.233.184", "156.234.233.180", "156.234.226.61", "156.234.233.169", "156.234.226.46", "156.234.190.110", "78.155.221.67", "156.234.216.49", "121.41.177.231", "156.234.56.48", "156.234.226.39", "156.234.233.185", "165.154.244.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["106.75.230.47", "156.234.233.184", "156.234.233.180", "156.234.226.61", "156.234.233.169", "156.234.226.46", "156.234.190.110", "78.155.221.67", "156.234.216.49", "121.41.177.231", "156.234.56.48", "156.234.226.39", "156.234.233.185", "165.154.244.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/