The ThreatFox: Sliver IOCs rule detects potential adversary activity associated with the Sliver C2 framework by identifying known malicious indicators linked to its infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threat (APT) activities early in the attack lifecycle.
IOC Summary
Malware Family: Sliver Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]245[.]185[.]195:9988 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 46[.]8[.]226[.]70:80 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 5[.]180[.]253[.]105:8000 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 24[.]12[.]218[.]134:9090 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 185[.]246[.]223[.]72:5000 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 165[.]245[.]181[.]147:8000 | payload_delivery | 2026-06-03 | 50% |
| ip:port | 164[.]90[.]231[.]249:31337 | botnet_cc | 2026-06-03 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["46.8.226.70", "5.180.253.105", "165.245.181.147", "172.245.185.195", "164.90.231.249", "24.12.218.134", "185.246.223.72"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.8.226.70", "5.180.253.105", "165.245.181.147", "172.245.185.195", "164.90.231.249", "24.12.218.134", "185.246.223.72"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system integrity check using Sysmon
Filter/Exclusion: Exclude events where Image contains sysmon.exe and EventID is 1 or 7.
Scenario: Regular use of PowerShell for administrative tasks (e.g., updating software, managing services)
Filter/Exclusion: Exclude events where ProcessName is powershell.exe and CommandLine contains known legitimate PowerShell administrative commands.
Scenario: Execution of Sliver-compatible tools for red team exercises (e.g., Cobalt Strike, Empire)
Filter/Exclusion: Exclude events where ProcessName is cobaltstrike.exe or empire.exe and CommandLine includes known red team command-line arguments.
Scenario: Legitimate use of Windows Task Scheduler for routine maintenance jobs
Filter/Exclusion: Exclude events where ProcessName is schtasks.exe and CommandLine includes /create with a known legitimate job name.
Scenario: Use of Windows Event Log tools for log analysis (e.g., LogParser, PowerShell scripts)
Filter/Exclusion: Exclude events where ProcessName is logparser.exe or powershell.exe and CommandLine includes log analysis or parsing commands.