Researchers Spot Suspected AI Generated PowerShell Script Used For Active Directory Reconnaissance

Researchers Spot Suspected AI Generated PowerShell Script Used For Active Directory Reconnaissance

Cybersecurity researchers have identified an intrusion in which an unknown threat actor used a suspected artificial intelligence generated PowerShell script to perform reconnaissance and map an Active Directory environment. According to researchers at Huntress, the script was designed to identify the Domain Controller and collect information about users, computers, domains, and other Active Directory components before exporting the gathered data into files and generating an HTML report to measure the success of the operation. The incident, which occurred in early June 2026, is another example of how artificial intelligence is increasingly being incorporated into cyber operations to simplify complex tasks and reduce the level of expertise required to conduct attacks.

The attack began when the threat actor gained Remote Desktop Protocol access to a domain joined Windows Server using previously compromised credentials. After obtaining access, the attacker staged tools within the system’s ProgramData directory and deployed a PowerShell script that researchers believe was generated with assistance from an artificial intelligence model. Huntress based its assessment on several indicators, including placeholder text, prompt style titles, highly structured code, and the use of color coded console output. The script was titled “100% Working AD Information Gathering Script, FULLY FIXED,” which researchers believe suggests an iterative development process involving a large language model. The tool used multiple methods to locate the Domain Controller and employed a five step fallback mechanism to ensure that reconnaissance activities continued even if one approach failed. Once the Domain Controller was identified, the script systematically collected details related to users, groups, organizational units, trusts, and computer systems before storing the information in a staging directory.

Approximately 30 minutes after the reconnaissance phase began, the attacker deployed additional tools, including s5cmd, a legitimate utility used for bulk file operations, and SharpShares, a network share enumeration tool written in C Sharp. These utilities were used to search for accessible repositories containing valuable information. Researchers said the collected data was exported into CSV files, compressed, and prepared for exfiltration to a remote server. Before transferring the information, the script generated an HTML based Active Directory Inventory Report that summarized the data obtained during the operation. Huntress researchers described the script as highly aggressive and noisy, suggesting that its purpose was to gather as much information as possible in a short period of time rather than remain undetected within the environment.

The findings come as security companies continue to document the growing use of artificial intelligence in cyberattacks. In a separate report published by incident response firm Sygnia, researchers detailed an AI assisted cloud attack that progressed from initial access to a broad compromise of an Amazon Web Services environment in approximately 72 hours. The attackers repeatedly used newly obtained credentials to conduct reconnaissance, harvest secrets, establish persistence, and exfiltrate data. According to Sygnia, the attack did not rely on new malware or previously unknown vulnerabilities but instead combined established techniques with the speed and efficiency provided by artificial intelligence. Researchers noted that AI is increasingly acting as a force multiplier for cybercriminals by reducing the time and effort needed to operationalize traditional attack methods across complex environments, enabling less experienced actors to launch sophisticated and highly damaging campaigns at a much faster pace.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment