Active Directory Accounts Enumerated via PowerShell Script
Key Takeaways Threat actors are leveraging AI-generated PowerShell scripts, a technique dubbed “vibe coding,” to enumerate Active Directory (AD) environments. This method allows even...
Key Takeaways
- Threat actors are leveraging AI-generated PowerShell scripts, a technique dubbed “vibe coding,” to enumerate Active Directory (AD) environments.
- This method allows even less-skilled attackers to create custom, single-use malware that bypasses traditional signature-based detection.
- Security researchers at Huntress observed an incident on June 3, 2026, where an AI-generated script, “Untitled1.ps1,” was used for extensive AD mapping.
- AI-generated scripts, while unique in syntax, still exhibit consistent underlying behavioral patterns that can be detected by advanced SIEM and EDR solutions focusing on behavioral analytics.
AI-Generated PowerShell Script Used in Active Directory Enumeration
Cybersecurity analysts are observing a significant evolution in threat actor tactics, with a new trend emerging: the weaponization of AI-generated PowerShell code to map Active Directory (AD) environments. This shift moves beyond readily available hacking tools towards custom, “vibe-coded” malware. Security firm Huntress recently documented an incident from June 3, 2026, where they successfully recovered and reconstructed one such script, named Untitled1.ps1.
Table Of Content
What is “Vibe Coding”?
“Vibe coding” describes a method of software development where an individual iteratively prompts an artificial intelligence with natural language commands, rather than manually writing code. This process continues until the AI’s output fulfills the desired functional requirements. This innovative approach significantly lowers the technical barrier for engaging in cybercrime, enabling threat actors of varying skill levels to produce bespoke, single-use attack tools that effectively evade conventional signature-based detection mechanisms.
Incident Analysis: The Untitled1.ps1 Attack
The observed intrusion began with an attacker employing pre-compromised credentials to establish a Remote Desktop Protocol (RDP) session on a Windows Server integrated into the target domain. Following the initial access, the attacker rapidly staged additional tools within the C:ProgramData directory. Within minutes, the Untitled1.ps1 script was deployed. Its primary objective was to meticulously map the domain’s users, computers, groups, and trusts.
Approximately thirty minutes after the initial enumeration, the attacker executed s5cmd.exe, a legitimate Amazon S3 utility frequently misused for data exfiltration purposes. This was followed by the execution of SharpShares.exe, a tool designed to identify accessible file shares while specifically filtering out administrative shares.
The Researchers reconstructed the script by analyzing Windows Event ID 4104 telemetry, which is captured in the PowerShell Operational log and records deployed script blocks. The analysis revealed that the script employed an overly complex, five-step cascading fallback mechanism to locate the domain controller, utilizing DNS lookups, nltest, the Active Directory module, environment variables, and a hardcoded backup. Once the domain controller was identified, the script systematically exported critical AD components, including Users, Computers, Groups, Organizational Units, Subnets, and Trusts, into individual CSV files. The operation concluded with the generation of a comprehensive AD_Report.html summarizing the collected data and the creation of a zipped archive containing the entire output folder.
Indicators of AI Origin
Several distinct characteristics within the script strongly indicated its AI origin. The script’s title, “100% Working AD Information Gathering Script – FULLY FIXED,” suggested an iterative debugging process, typical of interactions with a chatbot. More critically, an unedited placeholder hostname, “Server1.HR.local,” was discovered within the script’s fallback logic. This artifact served as clear evidence that the attacker had copied and pasted AI-generated output without proper customization.
Furthermore, the script’s redundant discovery methods for locating the domain controller and its excessive use of colorful console output are considered hallmarks of Large Language Model (LLM)-generated code. A human author would typically opt for one or two efficient approaches rather than five, and generally prioritize functionality over verbose cosmetic output.
| Aspect | Traditional Tooling (e.g., BloodHound, Cobalt Strike) | Vibe-Coded Scripts |
|---|---|---|
| Detection method | File hashes, static signatures | Unique per attack, evades hash matching |
| Code origin | Human-authored, reused across campaigns | AI-generated, often single-use |
| Sophistication of actor | Moderate to advanced | Can be low-skill, prompt-driven |
| Core attack behavior | AD enumeration, credential harvesting | Same underlying enumeration mechanics |
The inherent uniqueness of each vibe-coded script poses a significant challenge for traditional antivirus and Endpoint Detection and Response (EDR) tools that rely on static signatures for detection. Huntress emphasizes that while AI can endlessly rephrase code syntax, it struggles to mask the fundamental behaviors of Active Directory enumeration. The underlying system calls and operational footprint remain largely consistent, regardless of the superficial code variations.
This consistency explains why Huntress’s Security Information and Event Management (SIEM) platform was still able to identify the malicious activity through behavioral telemetry, rather than relying on file-based detection methods.
This incident underscores a broader trend: AI is not fundamentally altering attacker playbooks but rather accelerating and personalizing them. This paradigm prioritizes speed and aggression over stealth. As “vibe coding” becomes more prevalent in cybercrime, security teams are strongly encouraged to shift their defensive strategies away from static signature matching towards robust behavioral analytics. Such analytics are designed to detect the underlying tradecraft, which no LLM can completely obscure.
What You Should Do
- Prioritize behavioral analytics in your SIEM and EDR solutions to detect underlying attack patterns that AI-generated code cannot fully mask.
- Implement robust monitoring of PowerShell operational logs (Event ID 4104) to capture and analyze script blocks executed on endpoints.
- Strengthen credential hygiene, including multi-factor authentication (MFA) and regular password rotation, to prevent initial access via compromised credentials.
- Regularly audit Active Directory configurations and permissions to limit the scope of information an attacker can gather during enumeration.
- Educate security teams on the evolving threat landscape, including the capabilities and indicators of AI-generated malware.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.