The ThreatFox: Meterpreter IOCs rule detects potential adversary use of Meterpreter by identifying known indicators associated with its execution and communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that leverages Meterpreter for command and control.
IOC Summary
Malware Family: Meterpreter Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 80[.]76[.]49[.]130:4444 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 13[.]124[.]36[.]100:34289 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 51[.]85[.]62[.]142:1521 | botnet_cc | 2026-05-06 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Meterpreter
let malicious_ips = dynamic(["13.124.36.100", "80.76.49.130", "51.85.62.142"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.124.36.100", "80.76.49.130", "51.85.62.142"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Usage
Description: A security tool like Sysmon or LogParser is being used to monitor system activity, which may trigger Meterpreter-related IOCs due to similar process creation or network activity.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., sysmon64.exe, logparser.exe) or where the command line includes known tool arguments.
Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job (e.g., using Task Scheduler or PowerShell) is running a script that interacts with the system in a way that resembles Meterpreter behavior, such as file access or registry modification.
Filter/Exclusion: Exclude tasks where the job name or command line contains keywords like maintenance, backup, or cleanup, or where the user is a system or service account.
Scenario: Admin Task for Remote Management
Description: An administrator is using PsExec or WinRM to remotely manage a system, which may result in process creation or network traffic similar to Meterpreter IOCs.
Filter/Exclusion: Exclude processes where the parent process is psexec.exe or winrm.exe, or where the command line includes remote management flags like -s or -u.
Scenario: File Integrity Monitoring Tool
Description: A tool like Tripwire or OSSEC is performing file integrity checks, which may involve reading or writing files that match Meterpreter IOCs.
Filter/Exclusion: Exclude processes where the executable is a known integrity monitoring tool (e.g., tripwire, ossecd) or where the file path is within a known monitoring directory.
Scenario: PowerShell Script for Automation
Description: A PowerShell script