An attacker used an apparently AI-generated PowerShell script to enumerate an Active Directory environment after gaining RDP access to a domain-joined Windows Server with pre-compromised credentials, according to Huntress. The script, recovered from PowerShell Operational Event ID 4104 logs as Untitled1.ps1, contained hallmarks of LLM-generated code, including the title "100% Working AD Information Gathering Script - FULLY FIXED," excessive fallback logic, colorful console output, and an unedited placeholder for a domain controller hostname.
After the reconnaissance phase, the intruder deployed s5cmd.exe, likely for data exfiltration, and later ran SharpShares.exe to identify accessible network shares while excluding common administrative shares. Huntress said the incident shows AI did not materially alter the attack chain but helped a lower-skill actor rapidly produce custom, single-use malware that is less likely to match known hashes or signatures, reinforcing the need for behavioral detection of AD enumeration and related host activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
After using the AI-generated PowerShell script and follow-on tools to enumerate Active Directory and accessible repositories, the attacker archived the CSV outputs and exfiltrated them to a remote server. The activity confirmed data theft beyond the earlier reconnaissance and tooling deployment stages.
Later in the intrusion, the threat actor used SharpShares.exe to identify accessible network shares while filtering out common administrative shares. The activity showed continued internal reconnaissance using additional tooling after the initial AD enumeration.
Following the Active Directory reconnaissance phase, the attacker deployed s5cmd.exe, which Huntress assessed was likely used for data exfiltration. This marked an escalation from discovery activity to likely collection or transfer of data.
After gaining RDP access to a domain-joined Windows Server with pre-compromised credentials, a threat actor ran an AI-generated PowerShell script named Untitled1.ps1 to aggressively enumerate the Active Directory environment. Huntress said the script was recovered from PowerShell Operational Event ID 4104 telemetry and appeared to be LLM-generated based on its artifacts and structure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcescworld.com
Open sourcehuntress.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.