The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its communication and execution activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that leverage Meterpreter for command and control or persistence.
IOC Summary
Malware Family: Meterpreter Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]39[.]235[.]194:443 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 185[.]89[.]254[.]46:80 | botnet_cc | 2026-06-13 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["185.89.254.46", "103.39.235.194"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.89.254.46", "103.39.235.194"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Using Meterpreter
Description: A legitimate system maintenance task (e.g., schtasks.exe) is configured to run a script that inadvertently includes Meterpreter-related IOCs due to a misconfigured script or third-party tool.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with known maintenance names (e.g., SystemMaintenanceTask).
Scenario: PowerShell Script Using Meterpreter-Related Commands
Description: A PowerShell script (e.g., PowerShell.exe) is used by an admin for legitimate automation and includes commands that resemble Meterpreter IOCs (e.g., Invoke-Meterpreter or Invoke-Command with obfuscated payloads).
Filter/Exclusion: Exclude processes with PowerShell.exe and command-line arguments containing Invoke-Command, Invoke-Meterpreter, or PowerShell.exe -Command.
Scenario: Logon Script with Meterpreter-Related Code
Description: A user logon script (e.g., logon.bat or logon.ps1) is used to configure user environment settings and includes Meterpreter-related code due to a misconfiguration or outdated script.
Filter/Exclusion: Exclude processes initiated by logon scripts or with command-line arguments containing logon.bat, logon.ps1, or userenv.dll.
Scenario: Admin Task Using Meterpreter for Remote Management
Description: An admin uses a legitimate remote management tool (e.g., PsExec.exe, PSTools, or WinRM) to execute commands on remote systems, and the command line includes Meterpreter-related IOCs due to obfuscation or misinterpretation.
Filter/Exclusion: Exclude processes initiated by PsExec.exe, PSTools, or WinRM with command