Adversaries using AdaptixC2 are likely establishing command and control channels to exfiltrate data and maintain persistent access to compromised systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 51[.]79[.]51[.]255:4321 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 45[.]140[.]14[.]29:1489 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 77[.]110[.]119[.]172:443 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 77[.]110[.]119[.]172:80 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 77[.]110[.]119[.]172:8080 | botnet_cc | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["77.110.119.172", "45.140.14.29", "51.79.51.255"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["77.110.119.172", "45.140.14.29", "51.79.51.255"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running hunting.exe for threat intelligence updates
Filter/Exclusion: process.name != "hunting.exe" or process.parent.name == "task scheduler"
Scenario: System administrator using PowerShell to run a script that queries ThreatFox for known indicators
Filter/Exclusion: process.name == "powershell.exe" && process.args.contains("Get-ThreatFox")
Scenario: IT team using Process Explorer or Procmon to manually inspect processes for forensic analysis
Filter/Exclusion: process.name == "procmon.exe" or process.name == "process.explorer.exe"
Scenario: Regular execution of a SIEM correlation job that references ThreatFox data for alert enrichment
Filter/Exclusion: process.name == "siem_correlation.exe" or process.args.contains("threatfox")
Scenario: Use of Windows Task Scheduler to run a script that validates IOC data against internal threat intelligence sources
Filter/Exclusion: process.parent.name == "task scheduler" or process.args.contains("validate-ioc")