Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the detected IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging this C2 infrastructure.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]200[.]84[.]198:8515 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 45[.]32[.]236[.]190:2096 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 104[.]225[.]149[.]151:54321 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 45[.]155[.]69[.]153:443 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 45[.]155[.]69[.]153:80 | botnet_cc | 2026-05-27 | 100% |
| ip:port | 45[.]155[.]69[.]153:8080 | botnet_cc | 2026-05-27 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["45.32.236.190", "91.200.84.198", "104.225.149.151", "45.155.69.153"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.32.236.190", "91.200.84.198", "104.225.149.151", "45.155.69.153"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunted tool for log analysis
Description: A system administrator schedules a daily job using the hunted tool to analyze log files for security anomalies.
Filter/Exclusion: Exclude processes initiated by the hunted tool running under a known admin user account with a scheduled task ID.
Scenario: System update using hunted for package management
Description: A DevOps team uses hunted as part of a package management process to verify dependencies during a system update.
Filter/Exclusion: Exclude processes where hunted is used in conjunction with known package managers like apt, yum, or npm and within a known update script.
Scenario: Admin task using hunted for forensic analysis
Description: A security analyst runs hunted manually to investigate a potential security incident and gather forensic data.
Filter/Exclusion: Exclude processes initiated by a known security analyst user account and associated with a specific incident response playbook.
Scenario: Log parsing tool using hunted for log normalization
Description: A log management tool uses hunted to parse and normalize log entries from various sources.
Filter/Exclusion: Exclude processes where hunted is used in conjunction with log parsing tools like logstash or splunk and within a known log processing pipeline.
Scenario: Testing environment with hunted for C2 simulation
Description: A red team or security team uses hunted in a controlled test environment to simulate C2 traffic for training purposes.
Filter/Exclusion: Exclude processes running in a known test or sandbox environment, identified by IP ranges, hostnames, or specific network segments.