Hackers Using Vibe-Coded Generated PowerShell Script to Enumerate Active Directory Accounts

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Threat actors have started weaponizing AI-generated PowerShell code to map Active Directory (AD) environments, marking a notable shift from off-the-shelf hacking tools to bespoke, “vibe-coded” malware. Security researchers at Huntress recovered and reconstructed one such script, dubbed Untitled1.ps1, from an incident on June 3, 2026.

Vibe coding refers to writing software by iteratively prompting an AI with natural language rather than manually typing code, until the output matches the desired function.

This approach has lowered the technical bar for cybercrime, letting even mediocre threat actors generate custom, single-use attack tooling that evades traditional signature-based detection.

The intrusion began when an attacker used pre-compromised credentials to establish an RDP session on a domain-joined Windows Server. After staging tools in C:ProgramData, the attacker deployed Untitled1.ps1 within minutes to map the domain’s users, computers, groups, and trusts.

Roughly thirty minutes later, the attacker ran s5cmd.exe, a legitimate Amazon S3 tool frequently abused for data exfiltration, followed by SharpShares.exe to hunt for accessible file shares while filtering out administrative ones.

Researchers reconstructed the script from Windows Event ID 4104 telemetry in the PowerShell Operational log, which captures deployed script blocks.

The tool located the domain controller through an over-engineered, five-step cascading fallback method (DNS lookup, nltest, the AD module, environment variables, and a hardcoded backup), then systematically exported AD Users, Computers, Groups, Organizational Units, Subnets, and Trusts into CSV files. It finished by generating a polished AD_Report.html summarizing the harvested data and zipping the entire output folder.

AD Enumeration (Source: Huntress)

Several artifacts betrayed the script’s AI origin. Its title, “100% Working AD Information Gathering Script – FULLY FIXED,” reads like the product of a back-and-forth debugging session with a chatbot.

More damning was an unedited placeholder hostname, “Server1.HR.local,” left inside the fallback logic clear evidence the attacker copy-pasted AI output without customizing it.

The script’s redundant discovery methods and its excessive use of colorful console output are also considered hallmark traits of LLM-generated code, since a human author would typically favor one or two efficient approaches rather than five.

Aspect Traditional Tooling (e.g., BloodHound, Cobalt Strike) Vibe-Coded Scripts
Detection method File hashes, static signatures Unique per attack, evades hash matching
Code origin Human-authored, reused across campaigns AI-generated, often single-use
Sophistication of actor Moderate to advanced Can be low-skill, prompt-driven
Core attack behavior AD enumeration, credential harvesting Same underlying enumeration mechanics

Because each vibe-coded script is effectively unique, traditional antivirus and EDR tools that rely on static signatures struggle to flag them. Huntress emphasizes that while AI can rewrite code syntax endlessly, it cannot easily disguise the fundamental behaviors of AD enumeration; the actual system calls and operational footprint remain consistent.

This is why the firm’s SIEM platform was still able to catch the activity through behavioral telemetry rather than file-based detection.

This incident illustrates a broader trend: AI is not reinventing attacker playbooks but accelerating and personalizing them, prioritizing speed and aggression over stealth.

As vibe coding becomes more common in cybercrime, security teams are being urged to shift away from static signature matching toward behavioral analytics that can catch the underlying tradecraft no LLM can fully conceal.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.