The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its communication and command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that leverages Meterpreter for persistent access and control.
IOC Summary
Malware Family: Meterpreter Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]106[.]217[.]106:80 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 185[.]89[.]255[.]244:80 | botnet_cc | 2026-06-11 | 91% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["185.89.255.244", "193.106.217.106"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.89.255.244", "193.106.217.106"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Use of PowerShell for Script Execution
Description: A system administrator uses PowerShell to run a legitimate script that interacts with the file system, which may trigger the Meterpreter IOC related to file access.
Filter/Exclusion: process.name != "powershell.exe" OR process.user == "admin" OR file.path contains "scripts" OR file.name contains "script"
Scenario: Scheduled Job Using Meterpreter-Related Tools
Description: A scheduled job runs a legitimate tool like schtasks.exe or task scheduler to perform routine maintenance, which may have IOCs similar to Meterpreter.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "taskhost.exe" OR file.path contains "scheduled_tasks"
Scenario: Admin Task Involving File Manipulation
Description: An administrator uses tools like icacls.exe or takeown.exe to modify file permissions, which may match Meterpreter file access patterns.
Filter/Exclusion: process.name != "icacls.exe" OR process.name != "takeown.exe" OR file.path contains "system32" OR file.path contains "admin_tools"
Scenario: Network Monitoring Tool with Meterpreter-Like Behavior
Description: A network monitoring tool like Wireshark or tcpdump may generate network traffic that resembles Meterpreter communication patterns.
Filter/Exclusion: process.name != "wireshark.exe" OR process.name != "tcpdump.exe" OR network.destination_port != 443 OR network.destination_port != 80
Scenario: Legitimate Use of Meterpreter for Internal Red Team Exercises
Description: Security teams use Meterpreter as part of internal red team exercises, which may trigger the rule due to known IOCs.