
Artificial Intelligence in the Hands of Cybercriminals: AI-Generated PowerShell Scripts Targeting Active Directory Systems!
The rapid development of artificial intelligence (AI) technologies has significantly simplified the process of software creation. However, these capabilities are now being actively exploited not only by developers and organizations but also by cybercriminals. Recent observations show that threat actors are now using specialized PowerShell scripts generated by artificial intelligence, instead of traditional hacking tools, to analyze Active Directory (AD) infrastructure in corporate networks.
This case, discovered by cybersecurity company Huntress, has once again confirmed that malicious tools created with the help of artificial intelligence are being used in real-world attacks.
What Is “Vibe Coding”?
Experts refer to this method as “Vibe Coding.”
In this approach, instead of writing code manually, the developer or attacker provides instructions to an AI model in natural language. The AI generates the necessary code based on these instructions. If the result does not meet expectations, the user provides additional instructions and refines the code over several iterations.
As a result, individuals without deep programming knowledge can create functional, unique scripts tailored for each specific attack in a short time.
This reduces the cost for cybercriminals to develop attack tools and contributes to their further proliferation.
How Is the Attack Carried Out?
According to Huntress experts, the attack begins with the use of previously compromised user credentials.
The attacker:
- connects to a Windows Server system via RDP (Remote Desktop Protocol);
- places the necessary tools in the C:\ProgramData directory;
- then executes a PowerShell script named Untitled1.ps1, created with the help of AI.
The script’s primary task is to perform a comprehensive analysis of the Active Directory environment.
It collects the following information:
- domain users;
- computers;
- security groups;
- organizational units (OUs);
- inter-domain trust relationships;
- network subnets;
- domain configuration and other important data.
All collected data is exported to CSV files, and a detailed report is ultimately generated in HTML format. All files are then archived and prepared for the next stage of the attack or for data exfiltration.
How Were the Traces of AI Detected?
Experts were able to recover the script from Windows PowerShell Operational logs with Event ID 4104.
During the analysis, a number of indicators were discovered that suggested the script was created with the help of artificial intelligence.
Specifically:
- the script’s name — “100% Working AD Information Gathering Script – FULLY FIXED” — resembles a typical naming style that emerges after multiple interactions with AI chatbots;
- a placeholder server name — Server1.HR.local — was left unchanged within the code;
- instead of one, five sequential methods were used to identify the domain controller;
- excessive colored and decorative messages were output to the PowerShell console.
According to experts, an experienced developer typically does not write such excessively complex and repetitive code. This style is characteristic of code generated by artificial intelligence.
The Attack Did Not End There
After analyzing the Active Directory infrastructure, the attacker used additional tools.
Specifically:
- s5cmd.exe was used to prepare for data transfer to Amazon S3 services;
- SharpShares.exe was used to discover network shares and check for access permissions.
This indicates that the next stage of the attack was likely planned to involve exfiltration of confidential data or further lateral movement within the internal network.
Why Are AI-Generated Scripts Dangerous?
Traditional malware is typically reused multiple times. Therefore, antivirus and EDR systems can detect them based on file hashes or static signatures.
AI-generated scripts are developed almost uniquely for each attack.
As a result:
- each script’s code is unique;
- file hashes are constantly changing;
- signature-based defenses struggle to detect them;
- even less experienced attackers gain the ability to create sophisticated tools.
However, although artificial intelligence can alter the appearance of code, it cannot hide the core behavior of the attack.
For example, actions such as querying Active Directory objects, sending requests via LDAP, creating CSV files, or invoking PowerShell modules are still recorded in system logs.
Therefore, modern SIEM, XDR, and EDR platforms have the capability to detect such attacks through behavioral analysis and telemetry analysis.
Recommendations for Organizations
To protect against such attacks, it is recommended to take the following measures:
- regularly monitor PowerShell activity within the Active Directory environment;
- continuously analyze Windows security logs, including Event IDs 4104, 4688, and others;
- enable PowerShell Script Block Logging, Module Logging, and Transcription features;
- implement multi-factor authentication (MFA) for administrator and service accounts;
- restrict access to RDP services via VPN or trusted IP addresses;
- revoke unnecessary administrator privileges and adhere to the principle of least privilege;
- apply behavioral analytics rules in SIEM, EDR, and XDR solutions;
- regularly conduct Active Directory audits and monitor suspicious LDAP queries and mass enumeration activity;
- protect employee credentials and conduct regular training sessions to defend against phishing attacks.
Conclusion
Artificial intelligence does not create entirely new attack methods for cybercriminals, but it enables existing methods to be executed faster, cheaper, and tailored to each specific target. As a result, unique PowerShell scripts created for each attack can evade traditional signature-based defenses.
Therefore, organizations must now focus not only on detecting malicious files but also on monitoring suspicious behavior within the system, controlling PowerShell activity, and implementing modern behavioral-based protection mechanisms. This approach is crucial for the timely detection of next-generation cyberattacks generated with the help of artificial intelligence and for mitigating their negative consequences.



