TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Untangling a Linux Incident With an OpenAI Twist (Part 2)

2026-04-22 · Read original ↗

ATT&CK techniques detected

15 predictions
T1190Exploit Public-Facing Application
99%
“the soc to rely solely on detected signals and process history. game over? insert coin to continue throughout this investigation, one question remained unanswered. how did the threat actors originally get in? because the huntress agent was installed mid - compromise, we never had…”
T1190Exploit Public-Facing Application
97%
“and an ai agent creating plenty of noise in the background. key takeaways - soc analysts found at least two distinct threat actors had simultaneously compromised the endpoint. the first ( “ actor a ” ), which was discussed in part one of this blog series, involved a cryptominer. …”
T1543.002Systemd Service
95%
“after the huntress agent was installed while working through the investigation, soc analysts were able to figure out that some of the commands in figure 1 above were actually legitimate. they were codex commands, from the legitimate end user trying to troubleshoot strange behavio…”
T1496Resource Hijacking
92%
“1. 0, both in the affected range. - all the while during the incident, the end user continued relying on codex for dfir and remediation assistance. this incident highlighted the limitations of relying solely on ai - driven security responses and the need for comprehensive managed…”
T1070.003Clear Command History
85%
“. ] 128 : 8080. difficulty increased : threat actor returns on april 6, huntress detected a barrage of activity from this impacted linux environment : - 28 + repeated wget downloads of installsh to / tmp / corn - 16 + repeated wget downloads of dnser to / tmp / defunctr - all fro…”
T1496Resource Hijacking
85%
“elf binary ) twice daily - systemd user services (. arpupdate. service,. dnsupdate. service ) running from / dev / shm / - direct execution deploying : xmrig cryptominer ( fkkkf ), as well as residential proxy and bandwidth - selling services ( earnfm, repocket ). notably, there …”
T1496Resource Hijacking
83%
“) - old compromise, likely from 2024 ( binary compiled aug 2024 ) - simple @ reboot crontab persistence - private mining pool at 62. 60. 246 [. ] 210 : 443 actor b ( multi - revenue botnet ) - infrastructure : 162. 55. 234 [. ] 175 : 4082 ( hetzer, germany ) - revenue streams : x…”
T1059.004Unix Shell
82%
“untangling a linux incident with an openai twist ( part 2 ) acknowledgments : special thanks to tanner filip and lindsey o ’ donnell - welch for their contributions to this blog and research. recently, the huntress security operations center ( soc ) came across a strange incident…”
T1105Ingress Tool Transfer
75%
“( i. e. history - c 2 > / dev / null ), which can be seen in figure 1. about an hour after the first miner was removed by codex, a base64 - encoded payload then ran via an activity cluster that we are tracking as actor c. notably, while the activity in this cluster came from the …”
T1552.001Credentials In Files
68%
“aws /, ~ /. kube / config - application secrets :. env files in / home / [ redacted - user ] / [ redacted - app ] / and project directories - git credentials :. git - credentials - api tokens : token files and bearer tokens from application configs - system metadata : / proc / di…”
T1059Command and Scripting Interpreter
45%
“ai in cybersecurity and dfir investigations. ai is an assistant, not a replacement : codex successfully identified some threats and implemented useful security hardening measures. however, it lacked contextual awareness, privileged access, continuous monitoring capabilities, and …”
T1496Resource Hijacking
45%
“##82, the same actor b infrastructure seen throughout this incident, confirming this is the same threat actor returning to the host after it was remediated. furthermore, the same base64 - encoded infostealer payloads followed, pulling further malware from 172. 245. 159 [. ] 216, …”
T1053.003Cron
43%
“library. each method tried until one succeeded, ensuring the payload executed even on minimal or hardened systems where standard tools may be unavailable. once downloaded, the content was immediately piped to a shell for execution, with all errors suppressed. this was actor c ' s…”
T1053.003Cron
35%
“##82, the same actor b infrastructure seen throughout this incident, confirming this is the same threat actor returning to the host after it was remediated. furthermore, the same base64 - encoded infostealer payloads followed, pulling further malware from 172. 245. 159 [. ] 216, …”
T1496.001Compute Hijacking
32%
“) - old compromise, likely from 2024 ( binary compiled aug 2024 ) - simple @ reboot crontab persistence - private mining pool at 62. 60. 246 [. ] 210 : 443 actor b ( multi - revenue botnet ) - infrastructure : 162. 55. 234 [. ] 175 : 4082 ( hetzer, germany ) - revenue streams : x…”

Summary

A developer used OpenAI’s Codex to handle suspicious activity, leading to unexpected outcomes found by Huntress SOC analysts during an investigation.