Abnormal process connection to default Meterpreter port

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-05-10
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Hour
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Non-Standard Port (T1571)
Severity	Informational

Description

This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.

Attacker's Goals

Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.

Investigative actions

Verify if the destination IP is running a Metasploit server.
Look for malicious action being done by the suspicious process.

Variations

Abnormal process connection to default Meterpreter port on an internet-facing server

Synopsis

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Non-Standard Port (T1571)
Severity	Low

Description

This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.

Attacker's Goals

Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.

Investigative actions

Verify if the destination IP is running a Metasploit server.
Look for malicious action being done by the suspicious process.