The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its execution and communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities that leverage Meterpreter for command and control or data exfiltration.
IOC Summary
Malware Family: Meterpreter Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 51[.]49[.]154[.]73:28080 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 18[.]61[.]24[.]85:3260 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 15[.]152[.]97[.]87:2405 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 3[.]11[.]8[.]247:48294 | botnet_cc | 2026-05-10 | 50% |
| ip:port | 13[.]53[.]214[.]62:2380 | botnet_cc | 2026-05-10 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["15.152.97.87", "51.49.154.73", "18.61.24.85", "3.11.8.247", "13.53.214.62"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["15.152.97.87", "51.49.154.73", "18.61.24.85", "3.11.8.247", "13.53.214.62"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System administrators use PowerShell to run legitimate administrative tasks such as updating the system or managing services.
Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the command includes -Command or -File with paths to known administrative scripts or modules.
Scenario: The Task Scheduler runs a legitimate scheduled job that uses Meterpreter-like payloads for system maintenance (e.g., log rotation or backup scripts).
Filter/Exclusion: Exclude tasks scheduled via schtasks.exe or Task Scheduler with known legitimate job names and paths that match enterprise-defined maintenance scripts.
Scenario: Security tools such as OSSEC or Tripwire use Meterpreter-based payloads for automated system hardening or compliance checks.
Filter/Exclusion: Exclude processes initiated by security tools with known command-line arguments or parent processes that match the tool’s service or executable name.
Scenario: IT staff use Powershell Remoting (powershell.exe -Command) to remotely manage servers, which may include commands that resemble Meterpreter IOCs.
Filter/Exclusion: Exclude processes where the parent process is winrm.exe or mstsc.exe, and the command line includes remote management or administrative commands.
Scenario: The Windows Event Log is being queried or manipulated using tools like LogParser or PowerShell for forensic analysis or compliance reporting.
Filter/Exclusion: Exclude processes where the command line includes logparser.exe or Get-WinEvent and the script or command is known to be part of the enterprise’s log analysis routines.