The ThreatFox: Sliver IOCs rule detects potential adversary activity linked to the Sliver C2 framework by identifying known malicious indicators associated with its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging Sliver.
IOC Summary
Malware Family: Sliver Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]219[.]98[.]36:31337 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 154[.]219[.]98[.]36:8080 | botnet_cc | 2026-06-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["154.219.98.36"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.219.98.36"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using sliver as part of a legitimate security toolchain
Filter/Exclusion: Exclude processes initiated by known system update tools (e.g., Windows Update, WSUS, Chocolatey, or Ansible with specific playbooks)
Scenario: Scheduled job running sliver for internal threat hunting or red team exercises
Filter/Exclusion: Exclude processes with execution paths in known red team directories (e.g., C:\Users\RedTeam\, C:\Tools\ThreatHunting\) or with specific command-line arguments like --simulate
Scenario: Admin task using sliver for IOC collection and analysis
Filter/Exclusion: Exclude processes launched by administrative tools (e.g., PowerShell, Task Scheduler, or PsExec) with known admin user accounts (e.g., Administrator, Domain Admins)
Scenario: Legitimate use of sliver for IOC enrichment via ThreatFox integration
Filter/Exclusion: Exclude processes that interact with ThreatFox API endpoints or use specific configuration files (e.g., threatfox.conf, ioc_sources.json) associated with the tool
Scenario: False positive from a third-party tool that uses sliver as a component or dependency
Filter/Exclusion: Exclude processes that are part of a known third-party toolchain (e.g., Metasploit, Cobalt Strike, or Empire) and filter by parent process names or execution context.