The ThreatFox: AdaptixC2 IOCs rule detects potential command and control activity associated with the AdaptixC2 malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 100[.]48[.]13[.]113:8080 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 100[.]48[.]13[.]113:443 | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["100.48.13.113"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["100.48.13.113"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting tool
Description: A system administrator runs a scheduled job using the hunting tool to analyze network traffic for security purposes.
Filter/Exclusion: Exclude processes where the command line includes hunting and the user is a system admin or has elevated privileges.
Scenario: Admin task using adaptix CLI tool
Description: A security team member uses the adaptix CLI tool (a legitimate network analysis tool) to perform a network scan or configuration check.
Filter/Exclusion: Exclude processes where the executable path contains adaptix and the user is part of the security team or has a known legitimate use case.
Scenario: False positive from a third-party SIEM integration
Description: A SIEM system (e.g., Splunk, ELK) integrates with a threat intelligence feed that includes false positives related to AdaptixC2.
Filter/Exclusion: Exclude events where the source is a known SIEM integration or where the IOC is flagged as a false positive in the threat intelligence feed.
Scenario: Legitimate system update or patching process
Description: A system update or patching process includes a file or command that matches an IOC associated with AdaptixC2 due to a naming similarity.
Filter/Exclusion: Exclude processes where the file or command is part of a known patching or update mechanism, or where the user is a system admin performing maintenance.
Scenario: False positive from a network monitoring tool
Description: A network monitoring tool (e.g., Wireshark, tcpdump) generates traffic that matches an IOC due to normal network behavior or protocol parsing.
Filter/Exclusion: Exclude traffic where the source is a known network monitoring tool or where the traffic is part of a legitimate network