Threat actors are increasingly leveraging AI-generated PowerShell scripts to conduct Active Directory (AD) reconnaissance, signaling a shift away from traditional offensive tools toward custom-built, AI-assisted malware.

Researchers at Huntress recently analyzed one such script, dubbed Untitled1.ps1, which was deployed during a real-world intrusion on June 3, 2026. The script was used to enumerate Active Directory environments and collect domain intelligence before follow-on activity.

What Is "Vibe Coding"?

Vibe coding refers to generating software through iterative conversations with an AI model rather than manually writing code.

Instead of developing tooling themselves, attackers can repeatedly prompt an AI assistant until it produces code that performs the desired function.

This approach significantly lowers the barrier to entry for cybercrime by allowing less-skilled operators to generate custom attack tools that often evade traditional signature-based detection.

Attack Overview

The intrusion began with the use of previously compromised credentials to establish an RDP session on a domain-joined Windows Server.

Within minutes, the attacker deployed a PowerShell script named:

Untitled1.ps1

The script was designed to map the organization's Active Directory infrastructure.

Approximately 30 minutes later, the attacker executed:

  • s5cmd.exe — Amazon S3 command-line utility commonly abused for data exfiltration
  • SharpShares.exe — Tool used to identify accessible network shares

Active Directory Enumeration Capabilities

The script systematically collected information about:

  • Domain Users
  • Computers
  • Security Groups
  • Organizational Units (OUs)
  • Active Directory Sites
  • Subnets
  • Domain Trusts
  • Domain Controllers

Collected data was exported into CSV files before being consolidated into an HTML report.

Generated Artifacts

AD_Report.html
Users.csv
Computers.csv
Groups.csv
OUs.csv
Subnets.csv
Trusts.csv

The entire dataset was then compressed into an archive for exfiltration.

Over-Engineered Domain Controller Discovery

One of the most notable aspects of the script was its unnecessarily complex method for locating a domain controller.

Instead of using a single reliable method, the script implemented a five-stage fallback process:

  1. DNS Queries
  2. nltest.exe
  3. Active Directory PowerShell Module
  4. Environment Variables
  5. Hardcoded Fallback Hostname

Example placeholder discovered by researchers:

Server1.HR.local

This unused placeholder strongly suggests the script originated from AI-generated output and was copied without proper review.

Indicators of AI-Generated Code

Researchers identified several characteristics commonly associated with LLM-generated scripts.

AI Artifacts Observed

  • Excessive fallback logic
  • Multiple redundant discovery methods
  • Overly verbose console output
  • Unedited placeholder values
  • Marketing-style script title

Example script title:

100% Working AD Information Gathering Script – FULLY FIXED

Alt text

Such naming conventions frequently appear after iterative debugging conversations with AI assistants.

Why Traditional Detection Struggles

Unlike common offensive frameworks such as:

  • BloodHound
  • Cobalt Strike
  • SharpHound

AI-generated scripts are often unique to each intrusion.

Comparison

Traditional Tooling AI "Vibe-Coded" Scripts
Reused across campaigns Often unique per attack
Detectable via hashes Frequently bypass hash detection
Human-developed AI-generated
Consistent signatures Constantly changing code

Because every generated script may look different, static signatures become less effective.

Behavioral Detection Remains Effective

While AI can endlessly rewrite syntax, it cannot easily change the underlying behavior required to perform Active Directory reconnaissance.

The script still generated the same telemetry associated with:

  • LDAP queries
  • Domain enumeration
  • Group enumeration
  • Trust discovery
  • Network share discovery

Huntress successfully detected the activity using behavioral analytics and PowerShell telemetry rather than file signatures.

Researchers reconstructed the script using:

Windows Event ID 4104
PowerShell Operational Logs

which captured the executed script blocks.

Security Implications

The emergence of AI-generated attack tooling does not fundamentally change attacker objectives.

Instead, AI accelerates:

  • Tool development
  • Malware customization
  • Campaign deployment
  • Evasion of signature-based controls

The underlying tactics remain largely unchanged.

Organizations should focus on:

  • Behavioral analytics
  • PowerShell monitoring
  • Active Directory auditing
  • SIEM-based detections
  • Endpoint telemetry collection

rather than relying solely on file hashes and static signatures.

Key Takeaway

AI is not creating entirely new attack techniques—it is making existing tradecraft easier, faster, and more accessible. As "vibe-coded" malware becomes increasingly common, defenders must prioritize behavioral detection capabilities that focus on attacker actions rather than malware fingerprints.