The ThreatFox: Sliver IOCs rule detects potential adversary activity linked to the Sliver C2 framework by identifying known malicious indicators associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging Sliver.
IOC Summary
Malware Family: Sliver Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 191[.]101[.]131[.]244:40056 | botnet_cc | 2026-05-23 | 75% |
| ip:port | 191[.]101[.]131[.]244:31337 | botnet_cc | 2026-05-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["191.101.131.244"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["191.101.131.244"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system integrity check using Sysmon (Microsoft Sysmon) to monitor file changes.
Filter/Exclusion: Exclude events where the file path matches known Sysmon configuration files (e.g., C:\Windows\System32\sysmon64.exe or C:\ProgramData\sysmon\sysmon.cfg).
Scenario: PowerShell script running a legitimate admin task, such as updating the Windows registry or managing services.
Filter/Exclusion: Exclude processes initiated by the Local System account or those with a command line containing known admin scripts (e.g., reg.exe or sc.exe).
Scenario: Windows Task Scheduler job that executes a legitimate maintenance script (e.g., log cleanup or backup).
Filter/Exclusion: Exclude tasks with a trigger type of “At log on” or “Daily” and with a command line containing known maintenance tools (e.g., cleanmgr.exe or wbadmin.exe).
Scenario: Sliver is used legitimately for red teaming or penetration testing with approved tools like Cobalt Strike or Metasploit.
Filter/Exclusion: Exclude processes where the parent process is a known red teaming tool (e.g., cobaltstrike.exe or msfconsole.exe) or where the command line includes a known test payload.
Scenario: Log management tools like ELK Stack or Splunk are configured to read and write to log files, which may involve file IO operations.
Filter/Exclusion: Exclude file operations where the file path starts with a known log directory (e.g., C:\ProgramData\elastic\logs\ or C:\ProgramData\Splunk\logs\).