Cybercriminals are increasingly utilizing AI-generated PowerShell scripts to map Active Directory (AD) environments, marking a shift from traditional hacking tools to customized, AI-crafted malware. This trend was highlighted by a recent incident analyzed by security researchers at Huntress, where an AI-generated script named Untitled1.ps1 was employed to enumerate an organization’s AD infrastructure.
The attack commenced when the perpetrator used previously compromised credentials to establish a Remote Desktop Protocol (RDP) session on a domain-joined Windows Server. Within minutes, the attacker deployed Untitled1.ps1 to systematically map the domain’s users, computers, groups, and trusts. Approximately thirty minutes later, the attacker executed s5cmd.exe, a legitimate Amazon S3 tool often misused for data exfiltration, followed by SharpShares.exe to identify accessible file shares while excluding administrative ones.
Huntress researchers reconstructed the script from Windows Event ID 4104 telemetry in the PowerShell Operational log, which captures executed script blocks. The script employed a multi-step method to locate the domain controller, including DNS lookup, nltest, the AD module, environment variables, and a hardcoded backup. It then exported AD Users, Computers, Groups, Organizational Units, Subnets, and Trusts into CSV files and generated an AD_Report.html summarizing the collected data, which was subsequently compressed into a zip file.
Several indicators suggested the script’s AI origin. Its title, “100% Working AD Information Gathering Script – FULLY FIXED,” resembles the output of iterative debugging sessions with an AI. Additionally, an unedited placeholder hostname, “Server1.HR.local,” was found within the fallback logic, indicating that the attacker copied AI-generated code without thorough customization. The script’s redundant discovery methods and excessive use of colorful console output are also characteristic of AI-generated code, as human authors typically prefer more efficient approaches.
Comparing traditional tools like BloodHound and Cobalt Strike to these AI-generated scripts reveals notable differences. Traditional tools rely on file hashes and static signatures for detection, whereas AI-generated scripts are unique per attack, evading hash-based detection methods. While traditional tools are human-authored and reused across campaigns, AI-generated scripts are often single-use and can be created by individuals with lower technical skills through prompt-driven interactions with AI.
Because each AI-generated script is effectively unique, traditional antivirus and endpoint detection and response (EDR) tools that rely on static signatures struggle to detect them. However, Huntress emphasizes that while AI can endlessly rewrite code syntax, it cannot easily disguise the fundamental behaviors of AD enumeration; the actual system calls and operational footprint remain consistent.
This development underscores the evolving landscape of cyber threats, where AI is not only a tool for defenders but also for attackers. Organizations must adapt their security strategies to detect and mitigate these AI-generated threats, focusing on behavioral analysis and anomaly detection rather than solely relying on signature-based methods.