The ThreatFox: Sliver IOCs rule detects potential adversary activity associated with the Sliver C2 framework by identifying known malicious indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging Sliver.
IOC Summary
Malware Family: Sliver Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]8[.]226[.]70:8443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 92[.]53[.]193[.]89:443 | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["46.8.226.70", "92.53.193.89"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.8.226.70", "92.53.193.89"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using rsync or tar with known Sliver IOCs in the command line
Filter/Exclusion: Exclude processes initiated by the root user or those containing /bin/tar, /bin/rsync, or /usr/bin/backup in the command line.
Scenario: Legitimate use of sliver (a penetration testing tool) during authorized red team exercises
Filter/Exclusion: Exclude processes with the sliver binary path or those initiated by a known red team user or group (e.g., redteam or pentester).
Scenario: System update or patching using apt or yum that includes a package name matching a Sliver IOC
Filter/Exclusion: Exclude processes with /usr/bin/apt, /usr/bin/yum, or /usr/bin/dpkg in the command line, and filter by package names known to be part of standard OS updates.
Scenario: Administrative task using ps or top to monitor process activity, which may include Sliver-related strings
Filter/Exclusion: Exclude processes with /bin/ps, /bin/top, or /usr/bin/procps in the command line, and filter by user IDs associated with system administration.
Scenario: Log analysis or forensic tool like logrotate or splunk that processes logs containing Sliver-related strings
Filter/Exclusion: Exclude processes with /usr/sbin/logrotate, /opt/splunk/bin/splunk, or similar paths, and filter by log file paths or specific log types (e.g., /var/log/auth.log).