
Huntress found an AI-generated PowerShell script used for AD reconnaissance, showing attackers are using AI to create custom, evasive tools.
During an incident response investigation on June 3, 2026, Huntress analyst Jevon Ang recovered a PowerShell script from a compromised Windows Server that the attacker had used to map out the victim’s Active Directory environment. The script hadn’t been downloaded from a public repository or pulled from a known offensive toolkit. It was custom-built, almost certainly by prompting an AI model until the output worked. Huntress researchers reconstructed the full script from PowerShell script block logging, specifically Event ID 4104 in the Microsoft-Windows-PowerShell/Operational log.
“The script, enthusiastically titled “100% Working AD Information Gathering Script – FULLY FIXED”, is a highly aggressive, noisy, custom-built AD enumeration tool. It doesn’t try to hide its functions, and has a number of distinct and interesting phases.” reads the report published by Huntress.
The attack itself wasn’t particularly novel. The threat actor gained RDP access using pre-compromised credentials, staged tools in C:\ProgramData, ran the custom recon script within minutes of establishing the session, then roughly thirty minutes later deployed s5cmd.exe, a legitimate Amazon S3 command-line tool that Huntress has seen repeatedly abused for data theft. A second pass with SharpShares.exe followed, hunting for additional data repositories.
“One thing to emphasize here is that AI isn’t changing the game by any means during this incident. The underlying attack chain still resembles the tried-and-tested smash-and-grab playbook we’ve seen for years.” continues the report.”This core methodology has remained consistent, but it is now being selectively augmented by AI. This hybrid approach prioritises aggression and speed over stealth, allowing threat actors to execute highly damaging campaigns faster than ever.”
The PowerShell file was named Untitled1.ps1, which is what you get when someone copies code out of an AI chat window and saves it without renaming it. The script’s internal title is “100% Working AD Information Gathering Script – FULLY FIXED,” which is a textbook artifact of someone iterating with an AI, hitting errors, pasting those errors back into the chat, and eventually copying out whatever the model produced when it stopped failing. The title isn’t something a human writing their own tool would choose. It’s the label an AI puts on the version that finally passed testing.
The script opens by identifying the domain controller through five separate methods in sequence: DNS lookup, nltest, the Active Directory PowerShell module, environment variables, and finally a hardcoded fallback. A human writing a recon script picks one or two reliable methods. An AI told “make sure it doesn’t fail to find the DC” will exhaustively generate every approach in its training data.
“The five distinct methods to find a Domain Controller scream “AI generation”. A human writing this script would typically pick the best one or two methods. An LLM, when told “make sure it doesn’t fail to find the DC,” will exhaustively generate every method in its training data.” states Huntress.
The most damning single detail is a hardcoded fallback value in that DC discovery block: $dc = "Server1.HR.local". That’s a literal placeholder the AI included as an example, and the attacker copied the script without editing it. The variable would only matter if all four preceding discovery methods failed simultaneously, so it likely never fired, but it was still there, unchanged, in the deployed payload.
Once it located the domain controller, the script ran a structured dump of Active Directory users, computers, groups, organizational units, subnets, domain trusts, DNS subnet records, and a filtered list of users with email addresses. Everything landed in a timestamped directory under C:\AD_Reports_, saved as CSV files.
The script then generated a formatted HTML summary report of the collection, which Huntress notes is almost certainly an unsolicited addition from the AI rather than something the attacker specifically asked for.
“The final phase of the script is surprisingly focused on presentation. Instead of simply zipping the CSV files and exiting, it writes an entire HTML file to summarise the data theft.” states the report. “Why does a threat actor need a beautiful HTML report, you ask? We thought the same. It’s likely a “helpful” inject from the LLM that the attacker simply went along with, rather than being intentionally authored into the script.”
After creating the report, the script zipped everything into a single archive. A threat actor who wanted to understand why their recon output looked the way it did could open a nicely formatted HTML file and find out. Nice touch.
The practical challenge for defenders is that Untitled1.ps1 has never existed before and won’t exist again in the same form. Traditional endpoint detection and antivirus tools rely heavily on file hashes and static string signatures. A known tool like SharpHound gets caught immediately because the binary is recognized. A script generated fresh by an AI for a specific incident has no hash to match against.
“Vibe coding lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable, evasive tooling on the fly. While the code itself may be messy, over-engineered, and filled with AI hallmarks like left-behind comments, the threat it poses is very real.” continues the report. “To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to catch the underlying actions that no LLM can hide.”
The answer isn’t to try to detect AI-generated code, which isn’t reliably distinguishable from human-written code at the binary level. The answer is to focus on what the code does at runtime rather than what it looks like on disk. Active Directory enumeration using Get-ADUser -Filter * against a domain controller, followed by bulk CSV exports, followed by ZIP archive creation in a staging directory, is the same sequence regardless of whether a human or an AI wrote the script that performs it. The behaviors are detectable. Huntress’s SIEM caught the activity through behavioral telemetry rather than file signatures. The attacker had a custom, never-before-seen script. The defenders still saw it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AI)





