The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its communication and command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activity that leverages Meterpreter for persistent access and lateral movement.
IOC Summary
Malware Family: Meterpreter Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 168[.]245[.]203[.]223:3790 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 168[.]245[.]203[.]114:3790 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 199[.]101[.]111[.]21:3790 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 199[.]101[.]111[.]75:3790 | botnet_cc | 2026-03-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["168.245.203.223", "168.245.203.114", "199.101.111.21", "199.101.111.75"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["168.245.203.223", "168.245.203.114", "199.101.111.21", "199.101.111.75"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of PowerShell for Script Execution
Description: A system administrator uses PowerShell to run a script that interacts with the file system, which may trigger the Meterpreter IOC related to file access.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges using user.name = "Administrator" OR user.name = "SYSTEM".
Scenario: Scheduled Job Running Meterpreter-Related Tools
Description: A scheduled job runs a legitimate tool like PsExec or WMIC to manage remote services, which may match Meterpreter IOCs.
Filter/Exclusion: Exclude processes associated with scheduled tasks using process.parent_process_name = "schtasks.exe" or process.parent_process_path LIKE '%schtasks.exe%'.
Scenario: System Maintenance Task Using Meterpreter-Related Commands
Description: A system maintenance task uses net use or net share commands to manage network shares, which may resemble Meterpreter network IOCs.
Filter/Exclusion: Exclude network commands executed by the System account using user.name = "SYSTEM" or process.name = "net.exe" with specific command-line arguments.
Scenario: Legitimate Use of Meterpreter-Related Tools for Debugging
Description: A developer uses tools like Process Explorer or ProcMon to debug application behavior, which may trigger Meterpreter-related IOCs.
Filter/Exclusion: Exclude processes associated with debugging tools using process.name = "procmon.exe" or process.name = "process.explorer.exe".
Scenario: Admin Task Involving File System Access
Description: An administrator performs a file system cleanup or audit using tools like Del or Robocopy, which may match Meterpreter file access IOCs.
Filter/Exclusion: