← Back to SOC feed Coverage →

ThreatFox: Meterpreter IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
iocthreatfoxwin-meterpreter
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 4 IOCs associated with Meterpreter

IOC Summary

Malware Family: Meterpreter Total IOCs: 4 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port168[.]245[.]203[.]223:3790botnet_cc2026-03-19100%
ip:port168[.]245[.]203[.]114:3790botnet_cc2026-03-19100%
ip:port199[.]101[.]111[.]21:3790botnet_cc2026-03-19100%
ip:port199[.]101[.]111[.]75:3790botnet_cc2026-03-19100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["168.245.203.223", "168.245.203.114", "199.101.111.21", "199.101.111.75"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["168.245.203.223", "168.245.203.114", "199.101.111.21", "199.101.111.75"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.meterpreter/