The ThreatFox: Sliver IOCs rule detects potential adversary activity associated with the Sliver C2 framework by identifying known malicious indicators linked to its command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging Sliver.
IOC Summary
Malware Family: Sliver Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]142[.]107[.]41:1030 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 45[.]142[.]107[.]41:31337 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 207[.]148[.]2[.]115:60060 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 207[.]148[.]2[.]115:60061 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Sliver
let malicious_ips = dynamic(["45.142.107.41", "207.148.2.115"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.142.107.41", "207.148.2.115"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Integrity Check Using sfc /scannow
Description: The System File Checker tool is run as part of a regular maintenance task, which may trigger the detection due to network or file system activity.
Filter/Exclusion: Exclude processes where the command line includes sfc /scannow or the process name is sfcos.exe.
Scenario: Admin Task Using PowerShell to Query Event Logs
Description: An administrator is performing a routine log analysis using PowerShell, which may involve querying event logs or using tools like Get-EventLog, leading to activity resembling malicious IOCs.
Filter/Exclusion: Exclude processes with the executable path containing powershell.exe and command lines that include Get-EventLog or Get-WinEvent.
Scenario: Legitimate Network Discovery via nmap
Description: A network administrator is performing a network scan using nmap to identify active hosts and open ports, which may trigger network-related IOCs.
Filter/Exclusion: Exclude processes where the executable is nmap.exe and the command line includes options like -sP or -sn for ping scans.
Scenario: Software Update via msiexec
Description: A legitimate software update is being installed using msiexec, which may involve downloading or executing files that match the IOC patterns.
Filter/Exclusion: Exclude processes where the executable is msiexec.exe and the command line includes /i or /update for installation or patching.
Scenario: Database Backup Using sqlcmd
Description: A database administrator is running a backup script using sqlcmd, which may involve connecting to a SQL Server instance and performing data transfer, triggering network or file IOCs.