Threat actors are increasingly leveraging AI-generated PowerShell scripts to conduct Active Directory (AD) reconnaissance, signaling a shift away from traditional offensive tools toward custom-built, AI-assisted malware.
Researchers at Huntress recently analyzed one such script, dubbed Untitled1.ps1, which was deployed during a real-world intrusion on June 3, 2026. The script was used to enumerate Active Directory environments and collect domain intelligence before follow-on activity.
What Is "Vibe Coding"?
Vibe coding refers to generating software through iterative conversations with an AI model rather than manually writing code.
Instead of developing tooling themselves, attackers can repeatedly prompt an AI assistant until it produces code that performs the desired function.
This approach significantly lowers the barrier to entry for cybercrime by allowing less-skilled operators to generate custom attack tools that often evade traditional signature-based detection.
Attack Overview
The intrusion began with the use of previously compromised credentials to establish an RDP session on a domain-joined Windows Server.
Within minutes, the attacker deployed a PowerShell script named:
Untitled1.ps1
The script was designed to map the organization's Active Directory infrastructure.
Approximately 30 minutes later, the attacker executed:
- s5cmd.exe — Amazon S3 command-line utility commonly abused for data exfiltration
- SharpShares.exe — Tool used to identify accessible network shares
Active Directory Enumeration Capabilities
The script systematically collected information about:
- Domain Users
- Computers
- Security Groups
- Organizational Units (OUs)
- Active Directory Sites
- Subnets
- Domain Trusts
- Domain Controllers
Collected data was exported into CSV files before being consolidated into an HTML report.
Generated Artifacts
AD_Report.html
Users.csv
Computers.csv
Groups.csv
OUs.csv
Subnets.csv
Trusts.csv
The entire dataset was then compressed into an archive for exfiltration.
Over-Engineered Domain Controller Discovery
One of the most notable aspects of the script was its unnecessarily complex method for locating a domain controller.
Instead of using a single reliable method, the script implemented a five-stage fallback process:
- DNS Queries
- nltest.exe
- Active Directory PowerShell Module
- Environment Variables
- Hardcoded Fallback Hostname
Example placeholder discovered by researchers:
Server1.HR.local
This unused placeholder strongly suggests the script originated from AI-generated output and was copied without proper review.
Indicators of AI-Generated Code
Researchers identified several characteristics commonly associated with LLM-generated scripts.
AI Artifacts Observed
- Excessive fallback logic
- Multiple redundant discovery methods
- Overly verbose console output
- Unedited placeholder values
- Marketing-style script title
Example script title:
100% Working AD Information Gathering Script – FULLY FIXED

Such naming conventions frequently appear after iterative debugging conversations with AI assistants.
Why Traditional Detection Struggles
Unlike common offensive frameworks such as:
- BloodHound
- Cobalt Strike
- SharpHound
AI-generated scripts are often unique to each intrusion.
Comparison
| Traditional Tooling | AI "Vibe-Coded" Scripts |
|---|---|
| Reused across campaigns | Often unique per attack |
| Detectable via hashes | Frequently bypass hash detection |
| Human-developed | AI-generated |
| Consistent signatures | Constantly changing code |
Because every generated script may look different, static signatures become less effective.
Behavioral Detection Remains Effective
While AI can endlessly rewrite syntax, it cannot easily change the underlying behavior required to perform Active Directory reconnaissance.
The script still generated the same telemetry associated with:
- LDAP queries
- Domain enumeration
- Group enumeration
- Trust discovery
- Network share discovery
Huntress successfully detected the activity using behavioral analytics and PowerShell telemetry rather than file signatures.
Researchers reconstructed the script using:
Windows Event ID 4104
PowerShell Operational Logs
which captured the executed script blocks.
Security Implications
The emergence of AI-generated attack tooling does not fundamentally change attacker objectives.
Instead, AI accelerates:
- Tool development
- Malware customization
- Campaign deployment
- Evasion of signature-based controls
The underlying tactics remain largely unchanged.
Organizations should focus on:
- Behavioral analytics
- PowerShell monitoring
- Active Directory auditing
- SIEM-based detections
- Endpoint telemetry collection
rather than relying solely on file hashes and static signatures.
Key Takeaway
AI is not creating entirely new attack techniques—it is making existing tradecraft easier, faster, and more accessible. As "vibe-coded" malware becomes increasingly common, defenders must prioritize behavioral detection capabilities that focus on attacker actions rather than malware fingerprints.