Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with known IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise early in the attack lifecycle.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 88[.]119[.]167[.]142:8000 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 87[.]251[.]76[.]213:8443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 88[.]119[.]167[.]143:8000 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["88.119.167.143", "87.251.76.213", "88.119.167.142"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["88.119.167.143", "87.251.76.213", "88.119.167.142"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to analyze network traffic for security purposes.
Filter/Exclusion: Exclude processes where the command line includes -hunting or --hunting and the user is a system admin (e.g., user == "admin").
Scenario: Admin task using hunting for threat hunting
Description: A security analyst runs a manual threat hunting task using the hunting package to investigate potential threats.
Filter/Exclusion: Exclude processes where the user is a security analyst and the command line includes --hunting or --threat-hunting.
Scenario: Legitimate use of hunting in a SIEM integration
Description: A SIEM tool integrates with a hunting script to fetch and analyze IOC data, which is part of the normal security operations.
Filter/Exclusion: Exclude processes where the parent process is a SIEM tool (e.g., parent_process == "splunkd" or parent_process == "logstash").
Scenario: False positive from a third-party tool using hunting
Description: A third-party security tool or EDR platform uses the hunting package as part of its integration with internal systems.
Filter/Exclusion: Exclude processes where the process name includes third-party or external and the user is not a system admin.
Scenario: Legitimate use of hunting in a DevOps pipeline
Description: A DevOps pipeline includes a script that uses the hunting package to validate code integrity or check for known malicious patterns.
Filter/Exclusion: Exclude processes where the command line includes --devops or `