Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

https://thehackernews.com/2026/07/attacker-uses-suspected-ai-generated.html

Publish Date: 2026-07-13 07:02:00

Source Domain: thehackernews.com

Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration.

“The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt,” Huntress researchers Jevon Ang and Dray Agha said.

The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the “C:ProgramData” folder. The incident took place in early June 2026.

This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered code that features multiple methods to find a Domain Controller, and beautified console output using cyan, green, red, and yellow.

Huntress described the bespoke PowerShell script as “highly aggressive” and “noisy,” making use of a “five-step cascading fallback mechanism” to enable reconnaissance and discovery. It’s titled “100% Working AD Information Gathering Script – FULLY FIXED,” suggesting a back-and-forth with a large language model (LLM).

Once the primary Domain Controller is located, it initiates a data collection routine to systematically harvest AD users, computers, groups, organizational units (OUs), and trusts, and store the details in a staging directory.

About 30 minutes later, the attacker moved to deploy a s5cmd, a legitimate tool used for bulk file operations, along with SharpShares, a C#-based network shares enumeration utility, to look for user-accessible data repositories.

In the final stage, the data is said into CSV files, archived, and exfiltrated to a remote server, but not before…

Source