Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network connections and file executions. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate potential compromise from advanced persistent threats leveraging this C2 infrastructure.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]221[.]191[.]167:4323 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 156[.]225[.]22[.]201:1337 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 103[.]106[.]230[.]190:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 103[.]106[.]230[.]190:8080 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 103[.]106[.]230[.]190:443 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["156.225.22.201", "91.221.191.167", "103.106.230.190"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["156.225.22.201", "91.221.191.167", "103.106.230.190"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to analyze network traffic for security purposes.
Filter/Exclusion: Exclude processes where the command line includes -hunting or where the parent process is a known system management tool (e.g., schtasks.exe, task scheduler).
Scenario: Admin task using hunting for threat hunting
Description: A security analyst runs a manual threat hunting query using the hunting package to investigate potential threats.
Filter/Exclusion: Exclude processes initiated by users with the security analyst or threat hunter role, or filter by user context using user = 'security_analyst'.
Scenario: Legitimate use of hunting in a SIEM tool
Description: A SIEM tool (e.g., Splunk, ELK) uses the hunting package to process and analyze logs for suspicious activity.
Filter/Exclusion: Exclude processes where the parent process is a SIEM agent or collector (e.g., splunkd.exe, logstash), or filter by process name using process.name = 'splunkd'.
Scenario: System update or patching using hunting
Description: A patching tool or update manager uses the hunting package to scan for outdated software or vulnerabilities.
Filter/Exclusion: Exclude processes where the command line includes -patch, -update, or -scan, or where the parent process is a known patching tool (e.g., Windows Update, WSUS).
Scenario: Legitimate use of hunting in a security tool
Description: A security tool (e.g., CrowdStrike, Palo Alto