All incidents

AI-generated PowerShell script used for Active Directory reconnaissance

malwareopenJul 9, 2026 — Jul 14, 2026
AI crafted PowerShell script aids AD recon on hacked server

AN attacker used a large language model to generate a custom PowerShell script that performed aggressive Active Directory reconnaissance on a compromised Windows Server, a technique identified by Huntress between 9 July and 14 July 2026. The script, labelled “100% Working AD Information Gathering Script - FULLY FIXED”, was not copied from any known toolkit but was created entirely from AI‑generated code. Its presence on the server shows how adversaries are blending traditional intrusion steps with automated code generation to speed up post‑exploitation activities.

The script relies on built‑in PowerShell AD modules, issuing commands such as Get‑ADForest, Get‑ADDomain, Get‑ADUser -Filter and Get‑ADGroup to pull user names, group memberships, SIDs and last logon timestamps, then writing the results to a file. Analysts noted clear AI fingerprints in the comments and variable naming, indicating the code was produced by a prompt rather than manual authorship. Because it uses legitimate Windows commands, the activity bypasses many signature‑based defences that look for known malicious binaries.

Huntress believes the initial foothold was obtained through RDP, either by brute forcing weak passwords or reusing stolen credentials, after which the attacker executed the script directly in memory or dropped it to disk with a bypassed execution policy. The tool runs quickly, generating a high volume of AD queries that would be noticeable in a quiet environment, but the actor prioritised speed over stealth to map the domain before moving laterally.

This incident, documented in the Huntress blog here and covered by Security Affairs here, illustrates the rise of “vibe‑coding” where low‑skill operators can produce functional malware with simple prompts. No CVE has been assigned and no threat actor has been attributed, but the case shows that traditional antivirus, which relies on static signatures, struggles to detect each unique AI‑generated sample.

Defenders should enable PowerShell transcription and module logging to capture the exact commands run, and monitor for abnormal sequences of Get‑AD calls that deviate from normal admin activity. Enforcing constrained language mode on workstations and applying AMSI to inspect script contents can block the execution of unknown code. Reviewing RDP logon events for anomalous source addresses, enforcing MFA on privileged accounts and segregating domain controllers from user networks further limit the attacker’s ability to run such tools.

Organisations should also restrict RDP access through VPN or zero‑trust solutions, keep systems patched and regularly audit privileged access rights. Hunting for unexpected text or CSV files left in admin shares or other writable locations can uncover remnants of reconnaissance, and sharing any indicators internally helps improve detection across the environment.

Intelligence briefing updated Jul 14, 2026

Root sourcewww.huntress.com
Timeline Coverage

Swipe to explore timeline