The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its execution and communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Meterpreter for command and control activities.
IOC Summary
Malware Family: Meterpreter Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]89[.]182[.]91:8443 | botnet_cc | 2026-06-15 | 94% |
| ip:port | 185[.]190[.]204[.]235:443 | botnet_cc | 2026-06-15 | 94% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["185.190.204.235", "185.89.182.91"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.190.204.235", "185.89.182.91"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses meterpreter-like IOCs (e.g., nc.exe or msfvenom output) for remote management or patching.
Filter/Exclusion: process.name != "nc.exe" OR process.name != "msfvenom.exe" OR check for task scheduler in the process tree.
Scenario: Remote Administration Tool (RAT) Usage
Description: IT administrators use a legitimate RAT (e.g., TeamViewer, LogMeIn) which may have similar IOCs to Meterpreter.
Filter/Exclusion: process.name != "TeamViewer.exe" OR process.name != "LogMeIn.exe" OR check for known admin tools in the process tree.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script runs meterpreter-like IOCs (e.g., Invoke-WebRequest, Out-File) to collect system metrics or logs.
Filter/Exclusion: process.name != "powershell.exe" OR check for powershell.exe with cmdline containing monitor, log, or report.
Scenario: Database Backup Job Using Network Tools
Description: A database backup job uses nc.exe or similar tools to transfer data over the network, triggering Meterpreter-like IOCs.
Filter/Exclusion: process.name != "nc.exe" OR check for backup or restore in the command line or process tree.
Scenario: Admin Task Using Meterpreter for Remote Debugging
Description: A system admin uses Meterpreter for legitimate remote debugging or troubleshooting, which may trigger the rule.
Filter/Exclusion: process.name != "meterpreter.exe"