The ThreatFox: Sliver IOCs rule detects potential adversary activity associated with the Sliver C2 framework by identifying known malicious indicators linked to its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging Sliver.
IOC Summary
Malware Family: Sliver Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 13[.]140[.]187[.]194:40056 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 13[.]140[.]187[.]194:31337 | botnet_cc | 2026-06-16 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["13.140.187.194"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.140.187.194"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Sliver for legitimate red team exercises.
Filter/Exclusion: Exclude processes associated with sliver or sliver-server using the process.name field.
Example Filter: process.name != "sliver" and process.name != "sliver-server"
Scenario: A scheduled job runs PowerShell scripts to generate reports, which may include IOCs that match Sliver’s known indicators.
Filter/Exclusion: Exclude processes with powershell.exe that are associated with known reporting or administrative tasks.
Example Filter: process.name = "powershell.exe" and process.parent.name = "schtasks.exe"
Scenario: A security tool like OSSEC or CrowdStrike is configured to use Sliver for testing detection capabilities.
Filter/Exclusion: Exclude processes that are part of known security tooling or testing frameworks.
Example Filter: process.name != "ossec" and process.name != "crowdstrike"
Scenario: A Windows Update or Group Policy task may trigger network activity that resembles Sliver IOCs.
Filter/Exclusion: Exclude network traffic related to wsus or gpupdate commands.
Example Filter: destination.port != 80 and destination.port != 443 or destination.host contains "wsus"
Scenario: A backup job using Veeam or Commvault may involve network communication that matches Sliver IOCs.
Filter/Exclusion: Exclude processes associated with backup tools using the process.name field.
Example Filter: process.name != "veeam" and process.name != "commvault"