Hackers Use AI Tools to Automate Active Directory Discovery and Test EDR Evasion

A threat actor used AI-assisted development tools to build a post-exploitation framework that automates Active Directory discovery and tests malware against endpoint detection and response products.

The activity, detailed by Sophos X-Ops, shows how attackers are using AI tools to speed up malware development, lab testing, documentation, and workflow coordination. Sophos stressed that humans still directed the process.

The framework combined several offensive components, including Cobalt Strike profiles, Telegram-based command and control, Python shellcode injection scripts, a Cloudflare Worker redirector, an automated Active Directory discovery panel, and a testing lab for EDR evasion.

How Sophos found the AI-assisted attack framework

Sophos detected the activity after an anomalous endpoint in a customer environment triggered alerts for payloads stored in C:\Users\User\Documents\test. The files pointed to a broader framework designed to test stealthy post-exploitation activity.

The toolkit included customized Cobalt Strike profiles that tried to make beacon traffic resemble normal web traffic. It also used a Telegram bot API channel for command and control, allowing communications to flow through trusted third-party infrastructure instead of direct attacker servers.

BleepingComputer reported that Sophos linked the framework to cybercriminal activity tied to ransomware deployment and data theft, not legitimate red-team testing. Sophos did not publicly name the ransomware group because of ongoing investigations.

Component	What researchers found	Why it matters
Cobalt Strike profiles	Profiles designed to make beacon traffic look like legitimate web requests	Can help malicious traffic blend into normal network activity
Telegram C2	Command-and-control communication routed through Telegram bot infrastructure	Can make blocking and attribution harder for defenders
Cloudflare Worker	Front-end redirector used to hide the real backend command server	Can obscure infrastructure and complicate incident response
Python malware scripts	Scripts used for shellcode injection into Windows executables	Can support payload execution while attempting to preserve normal program behavior
AI-assisted workflow	Cursor and Claude agents helped with coding, testing, and coordination	Can reduce development time and support rapid experimentation

AI helped build and test the toolkit

Investigators found multiple Python scripts written in Russian that appeared to be partially AI-generated. They also found a Git repository containing two major parts: an automated Active Directory discovery panel and a lab for testing payloads against security products.

The setup used Cursor as an AI-native development environment and multiple AI agents with assigned roles. One Claude Opus 4.5 agent coordinated core operations and rule setting, while other agents supported EDR testing, documentation, operational security checks, proxy stress testing, and virtual machine deployment.

Help Net Security reported that the lab used Windows Server 2022 virtual machines for Sophos, CrowdStrike, and Microsoft Defender testing, plus a separate Ubuntu system hosting a Sliver command-and-control server.

The Active Directory panel was automated, not fully autonomous

The Active Directory component is one of the most important parts of the case. It resembled AI-driven automation because it could collect task results, choose the next action from predefined options, dispatch work to remote agents, and reevaluate when results came back.

However, Sophos said it was not a fully autonomous large language model making open-ended decisions. It followed structured logic and human-defined workflows.

This distinction matters. The threat is not a self-directed AI attacker. The threat is a human operator using AI and automation to move faster during post-exploitation work.

Why Active Directory remains a prime target

Active Directory is a high-value target because it controls identities, permissions, computers, groups, and access paths across many enterprise networks. Once attackers map AD relationships, they can look for privileged users, weak delegation paths, exposed service accounts, or routes to domain control.

MITRE ATT&CK describes Domain Account Discovery as a technique where attackers enumerate domain accounts to understand an environment and identify targets for later activity. Automated AD discovery can speed up that process.

For defenders, this means identity telemetry matters as much as malware detection. Suspicious directory queries, unusual enumeration, unexpected use of domain tools, and abnormal authentication patterns can reveal early-stage intrusion activity before ransomware deployment.

Attack goal	Likely enterprise risk	Defensive focus
Map domain users	Attackers identify privileged or useful accounts	Monitor unusual account and group enumeration
Find lateral movement paths	Attackers move from one host to more sensitive systems	Track remote execution, SMB activity, and new admin sessions
Test EDR bypasses	Attackers refine payloads before deployment	Use behavior-based detection and layered controls
Use trusted platforms for C2	Malicious communications blend into normal traffic	Inspect traffic patterns, process lineage, and endpoint events
Prepare ransomware activity	Data theft and encryption may follow	Alert on staging, archive creation, credential dumping, and privilege escalation

The lab tested payloads against multiple EDR tools

The attacker built a controlled lab to test malware against real endpoint protection agents. Sophos said the environment used several Windows Server 2022 virtual machines and a separate Ubuntu system for Sliver command and control.

The core payload generator was written in Python and produced Windows executables and DLLs, often using Rust and Go payloads. It wrapped payloads in layers of encryption, evasion logic, and alternative execution methods for testing.

Sophos said nearly 80 modules tested more than 70 techniques. The framework’s own documentation claimed high bypass success after repeated iterations, but Sophos noted that the reviewed test data did not fully support those claims.

AI agents ingested public security research

The framework also included instructions for AI agents to read public security research, extract attack techniques, map them to MITRE ATT&CK, prepare lab steps, run experiments, and report findings.

This creates a faster feedback loop for attackers. Instead of manually reading every new research post, operators can ask AI agents to summarize techniques, identify tooling requirements, and help reproduce ideas inside a test environment.

The case shows how public offensive and defensive research can be repurposed. Publishing technical research remains important for defenders, but threat actors can now process the same material faster with AI-assisted workflows.

Why defenders should not panic, but should adapt

The Sophos report does not mean AI has replaced skilled attackers. It shows that AI can help operators automate repetitive steps, write code faster, organize test results, and iterate payloads more quickly.

Help Net Security also noted that Sophos linked the activity to ransomware and data theft operations, while stating that the group involved remains undisclosed because of active investigations.

The defensive lesson is practical. Organizations should assume attackers will use AI to compress development cycles. That makes baseline controls, detection engineering, identity security, and incident response speed more important.

• Patch exposed services and high-risk enterprise software quickly.
• Use phishing-resistant multifactor authentication for privileged and remote access.
• Monitor Active Directory enumeration and unusual account discovery behavior.
• Detect suspicious use of Cobalt Strike, Sliver, Telegram C2, and Cloudflare Worker redirectors.
• Correlate endpoint detections with process lineage, network traffic, and identity events.
• Restrict PowerShell, script interpreters, and unsigned tools where business workflows allow it.
• Hunt for payloads staged in user directories and temporary development folders.
• Test recovery plans for ransomware and data theft scenarios.

Detection should focus on behavior, not labels

AI-assisted malware development can change file hashes, payload wrappers, and code structure quickly. That reduces the value of static indicators alone.

Security teams should focus on behavior that attackers still need to perform. That includes unusual script execution, process injection attempts, suspicious parent-child process chains, command-and-control traffic, credential access, and abnormal domain enumeration.

MITRE ATT&CK describes attempts to impair defenses by disabling or modifying tools, services, logging, or protections. EDR evasion testing fits that broader defensive-impairment pattern, even when the exact payload changes.

What security teams should watch now

Organizations should review alerts involving payload staging in user directories, especially folders that look like test environments. The Sophos case began with payloads found under a user Documents path, which then led investigators to the broader framework.

Teams should also monitor for unusual use of developer tooling on non-developer systems. AI coding tools, Git repositories, payload builders, and lab automation software may have legitimate uses, but they can look suspicious on endpoints that do not belong to engineering or security teams.

BleepingComputer reported that artifacts in the environment included Cobalt Strike operator logs tied to a ransom note and multiple organizations listed on a ransomware data leak site. That makes early investigation of suspicious toolchains especially important.

Signal	Why it matters	Suggested action
Payloads in user test folders	May indicate malware staging or local testing	Collect files, isolate the host, and review process history
Unexpected Git repositories	May contain automation scripts, payload builders, or C2 configuration	Review commit history and linked remote repositories
Telegram bot API traffic from servers	May indicate covert command-and-control communication	Correlate with endpoint process and network telemetry
Cloudflare Worker redirect behavior	May hide backend infrastructure	Inspect destination patterns and process owners
Unusual domain enumeration	May indicate Active Directory reconnaissance	Review account context, host role, and timing

AI changes the speed of attacks, not the fundamentals

The most important takeaway is that AI helps attackers move faster, but it does not remove their need for access, credentials, execution, command and control, and persistence.

Sophos reached the same conclusion: AI lowers the barrier for sophisticated post-exploitation development, but organizations still need the same defense-in-depth basics.

Those basics include timely patching, modern authentication, MFA or passkeys, broad EDR coverage, identity monitoring, least privilege, network segmentation, and a tested ransomware response plan.

Domain Account Discovery and other Active Directory reconnaissance techniques should receive special attention because ransomware operators often rely on identity paths before they deploy final payloads.

Defensive impairment behavior should also remain a high-priority alert category. When attackers test or apply EDR evasion, they usually leave signals across process activity, logs, tamper events, and network communications.

The rise of AI-assisted offensive tooling does not make traditional security controls obsolete. It makes weak controls easier to find, test, and exploit at speed.

FAQ