Hackers Use Vibe-Coded PowerShell Script to Map Active Directory Networks
A threat actor used a suspected AI-generated PowerShell script to enumerate users, computers, groups, organizational units, subnets, and trust relationships in a compromised Active Directory environment.
The attacker ran the custom script, named Untitled1.ps1, shortly after accessing a domain-joined Windows Server through Remote Desktop Protocol. Huntress researchers reconstructed the tool from PowerShell logs recorded during the June 3, 2026 intrusion.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The incident shows how attackers can use generative AI to create unique reconnaissance tools instead of relying only on widely detected software such as BloodHound, PowerSploit, or Cobalt Strike.
Attacker used compromised credentials to access the server
According to the Huntress investigation into the vibe-coded PowerShell attack, available evidence suggested that the attacker initially accessed the environment through a VPN.
The attacker then used previously compromised credentials to establish an interactive RDP session on a domain-joined Windows Server. They placed their tools in C:\ProgramData, a directory that threat actors commonly use for staging files.
Within minutes, the attacker executed C:\ProgramData\Untitled1.ps1 to collect information about the Active Directory environment.
| Attack stage | Observed activity |
|---|---|
| Initial access | Evidence suggested access through a VPN using compromised credentials |
| Remote session | The attacker connected to a domain-joined Windows Server through RDP |
| Tool staging | Files were placed in C:\ProgramData |
| AD reconnaissance | Untitled1.ps1 collected domain information and generated reports |
| Possible data transfer preparation | The attacker later deployed s5cmd.exe |
| Share discovery | SharpShares.exe searched for accessible network shares |
PowerShell script collected extensive Active Directory data
Untitled1.ps1 was designed to create a detailed map of the victimโs Windows domain. It first attempted to identify a domain controller and then queried several categories of Active Directory objects.
The collected information could help an attacker identify privileged accounts, valuable servers, organizational structures, trusted domains, and possible paths for lateral movement.
The script exported the following Active Directory data:
- Domain users
- Domain computers
- Security and distribution groups
- Organizational units
- Active Directory sites and subnets
- Domain and forest trust relationships
- Domain controller details
- General domain information
The script saved its findings in CSV files and created an HTML report named AD_Report.html. It then placed the collected results into a compressed archive.
Why Active Directory enumeration matters
Active Directory stores identity, authentication, device, group, and policy information for many business networks. Attackers often enumerate this information after gaining initial access.
The MITRE ATT&CK domain account discovery entry explains that adversaries can list domain accounts to identify users who may hold valuable privileges or provide access to sensitive systems.
Information about computers, groups, and trusts can also help attackers plan privilege escalation and lateral movement. A trust relationship may reveal another domain that accepts authentication from the compromised environment.
| Collected information | Potential value to an attacker |
|---|---|
| User accounts | Identifies administrators, service accounts, and possible impersonation targets |
| Computers | Reveals servers, workstations, and possible lateral movement destinations |
| Groups | Shows which accounts may have elevated permissions |
| Organizational units | Provides insight into company structure and policy boundaries |
| Subnets | Helps attackers understand network segmentation |
| Trusts | Reveals relationships with other domains or forests |
Script used five methods to locate a domain controller
One of the scriptโs most unusual features was its extensive domain controller discovery logic. Rather than using one reliable method, it moved through five possible approaches.
The script attempted DNS discovery, used nltest, queried the Active Directory PowerShell module, checked environment information, and finally relied on a hardcoded hostname.
The fallback hostname was Server1.HR.local. Huntress said this placeholder appeared to have been copied from generated example code without being adapted to the victimโs environment.
- Attempt domain controller discovery through DNS.
- Run nltest to identify a controller.
- Use the Active Directory PowerShell module.
- Check environment variables and domain information.
- Fall back to the hardcoded Server1.HR.local hostname.
The redundant design made the script longer and less efficient than necessary. However, it also increased the chance that at least one discovery method would work on the compromised server.
Researchers found several signs of AI-generated code
Huntress concluded that Untitled1.ps1 was likely created through vibe coding, where a person repeatedly gives natural-language instructions to an AI system until it produces working code.
The script contained several traits that researchers associated with generated or heavily AI-assisted code. No single clue proves that an AI model created the tool, but the combined evidence strongly supported that conclusion.
Suspected signs of AI generation included:
- A title reading โ100% Working AD Information Gathering Script – FULLY FIXEDโ
- An unedited example hostname inside production code
- Five overlapping methods for discovering the domain controller
- Extensive comments and highly descriptive function names
- Colorful console messages for almost every operation
- Repeated error handling and fallback logic
- A polished HTML report that summarized the results
The words โFULLY FIXEDโ suggest that the script may have gone through several prompt-and-correction cycles. A user may have asked an AI assistant to repair errors until the script produced acceptable results.
Vibe coding does not make the attacker advanced
The use of AI-generated code does not necessarily mean that the attacker had advanced programming skills. Generative AI can help a less experienced operator assemble a functional script from natural-language instructions.
The resulting code may contain mistakes, inefficient logic, or obvious placeholders. It can still perform useful reconnaissance when executed with sufficient permissions inside a Windows domain.
This creates a challenge for defenders because attackers can generate new scripts for individual intrusions. Each version may use different function names, comments, formatting, and control flow.
| Characteristic | Established offensive tool | Vibe-coded script |
|---|---|---|
| Development | Usually maintained and tested by experienced developers | May be assembled through repeated AI prompts |
| Reuse | Often used across many attacks | Can be generated for one target or campaign |
| Static detection | Known hashes and code patterns may exist | Code structure may differ in every generated version |
| Reliability | Often tested across many environments | May contain placeholders and redundant logic |
| Core behavior | Performs account and network discovery | Performs the same underlying discovery actions |
Huntress reconstructed the script from Event ID 4104
The attackerโs script was no longer available as a complete file during the investigation. However, Huntress reconstructed it from telemetry in the Microsoft-Windows-PowerShell/Operational log.
Windows can record PowerShell script content through Script Block Logging. Microsoft states that PowerShell Script Block Logging records commands, functions, scripts, and script blocks processed by PowerShell.
These records appear as Event ID 4104. Large scripts can be divided across several events, which means investigators may need to combine the logged blocks in the correct order.
This telemetry allowed researchers to recover the attackerโs code even though the original PowerShell file was not available for direct analysis.
Attacker later deployed s5cmd and SharpShares
About 30 minutes after executing the PowerShell reconnaissance script, the attacker deployed s5cmd.exe in the same staging directory.
The legitimate s5cmd command-line utility supports fast transfers between local storage and Amazon S3-compatible object storage. Administrators and developers use it for legitimate cloud operations.
Threat actors can also abuse the tool to upload stolen files to cloud storage. Huntress has previously observed attackers using s5cmd for data exfiltration, although the report did not state that researchers confirmed a successful upload in this specific incident.
The attacker later returned and ran SharpShares.exe. That tool searched the network for file shares while excluding common administrative shares, helping the operator find locations that might contain accessible business data.
Unique scripts can weaken signature-based detection
Traditional antivirus products often compare files with known hashes, byte sequences, or code patterns. These methods work well when attackers repeatedly use the same tools.
AI can rapidly rewrite a script while preserving its purpose. A new version may enumerate the same domain accounts but use different variable names, functions, comments, and formatting.
That variability can reduce the effectiveness of detections that depend only on one file hash or a narrow text signature.
However, AI-generated code cannot easily hide every action required to query Active Directory. The script still needs to contact domain services, request account information, enumerate groups, create files, and archive the results.
Behavioral detection remains effective
Huntress detected the activity through behavior and event telemetry rather than recognizing a known malicious file. This approach focuses on what a process does instead of how its source code looks.
The MITRE guidance on domain account discovery recommends monitoring commands and processes that request information about domain users.
Security teams can look for combinations of events that rarely occur during normal administration, such as an unexpected RDP session followed by extensive PowerShell queries, bulk CSV creation, archive generation, and cloud transfer tools.
- PowerShell launched soon after an unusual RDP login
- Large numbers of Active Directory queries from one server
- Event ID 4104 entries containing account and trust discovery commands
- Creation of many CSV reports in a temporary or shared directory
- Creation of AD_Report.html or similarly named reports
- ZIP archives created immediately after domain enumeration
- s5cmd.exe appearing on systems where administrators do not use it
- SharpShares.exe or other network share discovery tools
PowerShell logging can preserve critical evidence
Organizations that do not enable detailed PowerShell logging may lose valuable evidence after an attacker deletes the original script.
Microsoft recommends using Protected Event Logging when organizations collect Script Block Logging data for purposes beyond short-term diagnostics. This helps protect sensitive information that scripts may place in event records.
The official Microsoft PowerShell logging documentation explains how administrators can enable Script Block Logging through Group Policy or registry settings.
Security teams should forward relevant PowerShell records to a centralized logging platform. Local logs alone may disappear if an attacker clears them or compromises the system.
How organizations can detect similar Active Directory attacks
Defenders should establish a baseline of approved administrative activity. Active Directory administrators may legitimately run broad discovery commands, but those actions should come from known accounts and management systems.

An ordinary application server suddenly enumerating every domain user, computer, group, and trust deserves investigation. The surrounding login, process, file, and network activity can help distinguish legitimate administration from an intrusion.
Organizations can take the following steps:
- Enable PowerShell Script Block Logging on supported Windows systems.
- Send Event ID 4104 records to a centralized SIEM platform.
- Monitor unusual RDP and VPN logins involving privileged accounts.
- Alert when PowerShell performs broad Active Directory enumeration.
- Restrict who can access domain-joined servers through RDP.
- Use multifactor authentication for VPN and administrative access.
- Monitor C:\ProgramData and other common staging directories.
- Block or investigate unauthorized cloud transfer tools.
- Review the creation of large CSV collections and ZIP archives.
- Limit service account and administrator privileges.
Organizations should monitor s5cmd use
s5cmd is not inherently malicious. Blocking it everywhere could disrupt legitimate cloud workflows, especially in organizations that use S3-compatible storage.
Defenders should instead determine where the tool is approved and which users normally run it. Its appearance on a domain controller, file server, or unrelated application server may carry more risk than its use on a managed cloud transfer system.
The official s5cmd project describes it as a high-speed tool for local file systems and Amazon S3 operations. That transfer capability also explains why attackers may use it after gathering and compressing data.
Security teams should correlate s5cmd execution with file access, archive creation, outbound connections, and newly created cloud credentials.
AI changes attacker tooling more than attack behavior
The incident does not show AI inventing a new Active Directory attack technique. Domain enumeration, RDP access, network share discovery, and cloud-based data transfers have appeared in intrusions for years.
AI instead helped the attacker create a customized implementation of familiar reconnaissance behavior. The script was unique enough to avoid known file hashes while still performing conventional discovery operations.
The Huntress analysis of Untitled1.ps1 argues that defenders should focus on the fundamental attack lifecycle because AI can change syntax more easily than it can change the actions needed to compromise a network.
As attackers adopt vibe coding, organizations will need behavioral analytics, detailed PowerShell telemetry, strong identity controls, and faster investigation of unusual administrative activity.
FAQ
A vibe-coded PowerShell script is code created or refined through natural-language prompts given to an AI assistant. The user describes the desired function and repeatedly asks the model to generate or fix the script.
The script collected information about domain users, computers, groups, organizational units, subnets, domain controllers, and trust relationships. It exported the results to CSV files and generated an HTML report.
Huntress reconstructed the script from PowerShell Script Block Logging records. Windows Event ID 4104 can capture the contents of scripts and commands processed by PowerShell.
s5cmd is a legitimate high-speed tool for transferring files to and from Amazon S3-compatible storage. Attackers can abuse it for data exfiltration, although Huntress did not confirm a successful upload in this incident.
Defenders should monitor behavior rather than depend only on file hashes. Useful signals include unusual PowerShell execution, broad Active Directory queries, report and archive creation, suspicious RDP sessions, and unauthorized cloud transfer tools.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages