“' / home / redacted /. codex / shell _ snapshots / 019d0c2c - e8a6 - 7840 - 8135 - 37ba5e11af5d. sh ' > / dev / null 2 > & 1 ; then : ; fi exec ' / bin / bash ' - c ' curl - i http : / / 127. 0. 0. 1 : 3016 / [ redacted ] / index. m3u8 ' this wasn ’ t a mistake. while this ai - g…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
89%
“that is actually part of the user ’ s day - to - day business function. this data includes huntress signal events firing off at the time of agent installation – but it also includes studying all the different things that have happened on the device historically, to help analysts …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1496Resource Hijacking
75%
“’ s retroactive investigation into forensic telemetry, below is an outline of the ( legitimate ) user ’ s actions before they installed the huntress agent. something ' s amiss : loud fans and slow performance on march 19, the user ’ s system started up. codex chat logs show us th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1543.002Systemd Service
72%
“##mp / systemd - logind, had been compiled in august 2024, suggesting this was a remnant from a previous compromise. codex suggested cpu throttling, and the user subsequently applied a linux terminal command to quiet the fans. the user seemed to be happy with codex ' s suggestion…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
61%
“clues that can help verify if, in fact, the event is actually malicious. as highlighted in this blog post, these telemetry - driven investigations are more important than ever today because threat actors frequently try to hide in plain sight by using living - off - the - land tec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
57%
“: the huntress soc, a group of at least two different threat actors, and a third - party developer using openai ’ s codex coding agent to try to knock down malicious activity on their linux system. in this first part of our two - part blog series, we will break down how the end u…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
42%
“to respond to suspicious activity, which added further wrinkles to soc analysts that were trying to carry out the investigation. while the use of codex helped the user remediate certain parts of the attack, like killing one instance of the cryptominer, it posed an unintentional c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1563.002RDP Hijacking
34%
“clues that can help verify if, in fact, the event is actually malicious. as highlighted in this blog post, these telemetry - driven investigations are more important than ever today because threat actors frequently try to hide in plain sight by using living - off - the - land tec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A Linux user recently tried to respond to potentially malicious behavior on their machine using OpenAI’s Codex coding agent, before installing the Huntress agent. What ensued shows the unexpected impacts of this AI use case on DFIR investigations.