The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter, a powerful post-exploitation tool commonly associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging Meterpreter for command and control.
IOC Summary
Malware Family: Meterpreter Total IOCs: 6 IOC Types: sha256_hash, md5_hash, sha1_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]89[.]163[.]22:4477 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 64[.]89[.]163[.]22:8844 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 64[.]89[.]163[.]22:8745 | botnet_cc | 2026-06-21 | 75% |
| sha256_hash | 1e6d5898bea2ebf6b249707ea4235e17e009eda510f2476ce885b97fcd8c26a2 | payload | 2026-06-20 | 95% |
| sha1_hash | cad40d347c87fc9bc1a2f1038e4e8761a6cc080c | payload | 2026-06-20 | 95% |
| md5_hash | c2005d83afa2f81ddeb3c4513734d3b7 | payload | 2026-06-20 | 95% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["64.89.163.22"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.89.163.22"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Meterpreter
let malicious_hashes = dynamic(["1e6d5898bea2ebf6b249707ea4235e17e009eda510f2476ce885b97fcd8c26a2", "cad40d347c87fc9bc1a2f1038e4e8761a6cc080c", "c2005d83afa2f81ddeb3c4513734d3b7"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of netsh for Network Configuration
Description: A system administrator is using netsh to configure network interfaces or firewall rules as part of routine maintenance.
Filter/Exclusion: Exclude processes where the command line contains netsh and the user is a domain admin or has elevated privileges.
Scenario: Scheduled Job for System Monitoring with taskhost.exe
Description: A scheduled task running under taskhost.exe is performing system monitoring or log collection using Meterpreter-like IOCs as part of a legitimate monitoring tool.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the task is known to be part of the enterprise monitoring infrastructure.
Scenario: PowerShell Script for System Inventory with ps or powershell.exe
Description: A PowerShell script is being run by an admin to gather system inventory or patch information, which may include commands resembling Meterpreter IOCs.
Filter/Exclusion: Exclude processes where the executable is powershell.exe and the script path is within a known enterprise script repository or managed by a configuration management tool.
Scenario: Use of reg.exe for Registry Key Management
Description: An admin is using reg.exe to modify registry keys for application configuration or policy enforcement, which may trigger Meterpreter-related IOCs.
Filter/Exclusion: Exclude processes where the command line includes reg.exe and the user is a domain admin or has a known legitimate reason for registry modifications.
Scenario: Legitimate Use of mshta.exe for HTML Application Deployment
Description: A system administrator is deploying an HTML application using mshta.exe, which may include scripts that resemble Meterpreter IOCs.
Filter/Exclusion: Exclude processes where the command line includes `ms