Security experts have identified a breach involving an AI-generated PowerShell script designed for exploring Active Directory (AD) structures. This incident highlights the growing use of AI in crafting sophisticated cyberattacks.
AI-Driven PowerShell Script Deployment
Researchers from Huntress reported that a vibe-coded PowerShell script was utilized to map a company’s AD environment. This script executed a series of tasks, including identifying the Domain Controller (DC), cataloging users, computers, and domains, and eventually generating an HTML report to assess the success of the operation.
The attack began with the threat actor gaining Remote Desktop Protocol (RDP) access to a domain-linked Windows Server, using stolen credentials. This access facilitated the placement of the necessary tools within the “C:ProgramData” directory, with the incursion occurring in early June 2026.
Characteristics of the AI-Generated Script
The script’s development seemingly involved AI assistance, indicated by features like placeholder strings, over-engineered code, and multicolored console outputs. Huntress labeled the script as aggressive, employing a five-step fallback mechanism for AD recognition and data collection.
Upon locating the primary DC, the script initiated comprehensive data collection, systematically gathering information on AD users, computers, groups, organizational units (OUs), and trusts. The collected data was then stored in a temporary directory before further actions were taken.
Data Exfiltration and AI’s Role in Cybercrime
Within 30 minutes, the attacker utilized tools such as s5cmd and SharpShares to identify accessible data repositories. The exfiltrated data was archived into CSV files and sent to a remote server, accompanied by an HTML report summarizing the operation.
Although AI was not used to introduce new attack techniques, it significantly reduced the complexity and time needed to execute these attacks. This development signifies how AI can lower barriers for cybercriminals, allowing less experienced actors to deploy sophisticated and evasive tactics.
Sygnia’s Insights on AI-Enabled Attacks
A recent report from Sygnia detailed a similar AI-assisted attack on a cloud environment, highlighting the rapid pace at which these intrusions can escalate. Within 72 hours, attackers had compromised a large AWS-based infrastructure, leveraging it for potential extortion.
The attackers exploited existing cloud techniques, bypassing the need for new malware or zero-day exploits. They orchestrated a series of actions to maintain persistence, including credential discovery and data exfiltration, masking their activities as legitimate security tests.
This case emphasizes the strategic advantage AI provides to threat actors by accelerating attack processes and enhancing their capability to orchestrate large-scale operations with minimal effort.
