Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the identified IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical systems.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]198[.]224[.]213:4321 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 185[.]207[.]154[.]11:4848 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 1[.]14[.]234[.]107:8989 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.198.224.213", "1.14.234.107", "185.207.154.11"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.198.224.213", "1.14.234.107", "185.207.154.11"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator schedules a daily job using the hunting tool to analyze network traffic for security anomalies.
Filter/Exclusion: process.name != "hunting"
Scenario: Admin task using adaptix CLI tool for configuration management
Description: An administrator uses the adaptix CLI tool to configure network devices, which includes running scripts that match the IOC pattern.
Filter/Exclusion: process.name != "adaptix"
Scenario: Automated log analysis tool processing logs
Description: A log analysis tool like splunk or ELK is processing logs and temporarily matches an IOC pattern during log parsing.
Filter/Exclusion: process.name != "splunk" OR process.name != "logstash"
Scenario: Legitimate use of powershell for script execution
Description: A PowerShell script is run by a system admin to automate a routine task, and the script contains a string that matches an IOC.
Filter/Exclusion: process.name != "powershell" OR process.user == "admin"
Scenario: False positive from a third-party security tool integration
Description: A third-party security tool like CrowdStrike or SentinelOne is integrated with the SIEM and generates alerts that match the IOC pattern.
Filter/Exclusion: process.name != "crowdstrike" AND process.name != "sentinelone"