The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its execution and communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that leverages Meterpreter for command and control.
IOC Summary
Malware Family: Meterpreter Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 147[.]78[.]2[.]110:8443 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 40[.]176[.]56[.]217:56263 | botnet_cc | 2026-05-08 | 50% |
| ip:port | 3[.]129[.]64[.]160:5061 | botnet_cc | 2026-05-08 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["3.129.64.160", "147.78.2.110", "40.176.56.217"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["3.129.64.160", "147.78.2.110", "40.176.56.217"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of Meterpreter for Post-Exploitation Tasks
Description: A red team or internal security team is using Meterpreter as part of a controlled penetration test or incident response.
Filter/Exclusion: Check for presence of @<EMAIL> or @<EMAIL> in the command, or filter by source IP from known internal security tools.
Scenario: Scheduled Job Running Meterpreter for System Monitoring
Description: A scheduled job is configured to run Meterpreter for system health checks or monitoring purposes.
Filter/Exclusion: Filter by process name systool.exe or monitor.exe, or check for presence of @<EMAIL> in the command line.
Scenario: Admin Task Involving Meterpreter for Log Collection
Description: An administrator is using Meterpreter to collect logs from a remote server as part of a routine audit or troubleshooting.
Filter/Exclusion: Filter by user account (e.g., [email protected]), or check for presence of @<EMAIL> in the command line.
Scenario: Use of Meterpreter in a Security Toolchain for Threat Hunting
Description: A security toolchain (e.g., Microsoft Defender ATP, CrowdStrike) uses Meterpreter as part of its threat hunting capabilities.
Filter/Exclusion: Filter by process parent or by known security tool signatures (e.g., Microsoft Defender or CrowdStrike).
Scenario: Meterpreter Used for Patch Management or System Updates
Description: Meterpreter is used to deploy patches or updates to a group of endpoints during a maintenance window.
Filter/Exclusion: Filter by time window (e.g., between 08:00 and 18:00), or check for presence of @<EMAIL> in the