The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its execution and communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that leverage Meterpreter for command and control.
IOC Summary
Malware Family: Meterpreter Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 54[.]190[.]138[.]40:42977 | botnet_cc | 2026-05-09 | 50% |
| ip:port | 13[.]60[.]227[.]214:2281 | botnet_cc | 2026-05-09 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["13.60.227.214", "54.190.138.40"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.60.227.214", "54.190.138.40"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of Meterpreter for System Administration
Description: An admin uses Meterpreter via a legitimate penetration testing tool like Metasploit to perform system diagnostics or patch management.
Filter/Exclusion: Exclude processes initiated by known admin tools (e.g., msfconsole, msfvenom) or users with elevated privileges (e.g., root, Administrator).
Scenario: Scheduled Job Running Meterpreter for Compliance Testing
Description: A scheduled job runs a Meterpreter payload as part of a quarterly security compliance test.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe, Task Scheduler) or specific job names (e.g., ComplianceTest_Job).
Scenario: Use of Meterpreter in a Red Team Exercise
Description: During a red team engagement, Meterpreter is used to simulate an attack and test network defenses.
Filter/Exclusion: Exclude processes originating from red team tools (e.g., Metasploit, Armitage) or users with red team permissions (e.g., RedTeamUser).
Scenario: Meterpreter Used for Remote Desktop Session Management
Description: A system administrator uses Meterpreter to manage remote desktop sessions and perform remote troubleshooting.
Filter/Exclusion: Exclude processes initiated by remote desktop tools (e.g., mstsc.exe, rdp) or users with remote access permissions (e.g., RemoteAdmin).
Scenario: Meterpreter Used in a Legitimate Security Tool for Threat Hunting
Description: A security analyst uses a threat hunting tool that includes Meterpreter for analyzing network traffic and identifying potential threats.
Filter/Exclusion: Exclude processes associated with threat hunting tools (e.g., ThreatHuntingTool.exe) or users