AI-assisted PowerShell used for noisy AD reconnaissance
🛡️ Huntress investigators reported an early-June 2026 intrusion where an unknown actor used a vibe-coded PowerShell script to enumerate Active Directory. The attacker gained RDP access with pre-compromised credentials, staged tools under C:\ProgramData\, and executed an AI-suspected payload that mapped DCs, users, groups, OUs, trusts, and produced an AD_Report.html. After harvesting data into CSVs and archiving them, files were exfiltrated to a remote server, with additional enumeration using s5cmd and SharpShares.
