Close Menu
    What's Hot

    Wall Street ‘Super Tuesday’ gives a flavour of earnings to come

    Okta, Inc. (OKTA) Discusses Technology Vision and Identity Security Strategy Transcript

    Health equity is a social justice issue

    Facebook X (Twitter) Instagram
    Trending
    • Wall Street ‘Super Tuesday’ gives a flavour of earnings to come
    • Okta, Inc. (OKTA) Discusses Technology Vision and Identity Security Strategy Transcript
    • Health equity is a social justice issue
    • ‘Kylian is fine’: France ready, full-strength for Spain World Cup semifinal | World Cup 2026
    • Deportations by India Cause Tension Along Border with Bangladesh
    • OpenAI Is Showing Kalshi’s World Cup Odds in ChatGPT
    • Nvidia halves Asia buyer list in China chip crackdown
    • The Open 2026 tee times: Full R1 groupings and start times for opening round of men’s major at Royal Birkdale | Golf News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

    adminBy adminJuly 14, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

    Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration.

    “The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt,” Huntress researchers Jevon Ang and Dray Agha said.

    The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the “C:\ProgramData\” folder. The incident took place in early June 2026.

    This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered code that features multiple methods to find a Domain Controller, and beautified console output using cyan, green, red, and yellow.

    Huntress described the bespoke PowerShell script as “highly aggressive” and “noisy,” making use of a “five-step cascading fallback mechanism” to enable reconnaissance and discovery. It’s titled “100% Working AD Information Gathering Script – FULLY FIXED,” suggesting a back-and-forth with a large language model (LLM).

    Once the primary Domain Controller is located, it initiates a data collection routine to systematically harvest AD users, computers, groups, organizational units (OUs), and trusts, and store the details in a staging directory.

    Cybersecurity

    About 30 minutes later, the attacker moved to deploy a s5cmd, a legitimate tool used for bulk file operations, along with SharpShares, a C#-based network shares enumeration utility, to look for user-accessible data repositories.

    In the final stage, the data is said into CSV files, archived, and exfiltrated to a remote server, but not before creating an HTML file summarizing the data theft in the form of an Active Directory Inventory Report.

    “It’s likely a ‘helpful’ inject from the LLM that the attacker simply went along with, rather than being intentionally authored into the script,” the researchers explained.

    The development is yet another sign that threat actors are augmenting their arsenal with vibe-coded malware generated with assistance from AI models, even if the technology isn’t being abused in ways not seen before. What it does change is that it lowers the barrier to entry for cybercrime, permitting less-skilled actors to come up with highly capable, evasive tooling with minimal effort.

    “The underlying attack chain still resembles the tried-and-tested smash-and-grab playbook we’ve seen for years,” Huntress said. “This core methodology has remained consistent, but it is now being selectively augmented by AI. This hybrid approach prioritises aggression and speed over stealth, allowing threat actors to execute highly damaging campaigns faster than ever.”

    AI as a Force Multiplier

    In a report published last week, Sygnia revealed that AI-enabled attackers do not necessarily need novel malware or zero-days, but that the real shift lies in the fact that cyber intrusions can be orchestrated at a speed and scale faster and bigger than defenders can contain them.

    The incident response company said it observed an AI-assisted cloud attack that progressed from initial access to broad compromise within a span of about 72 hours against a large Amazon Web Services (AWS)-based environment. The end goal of the activity is assessed to be financially motivated, with the attacker using the access to the victim’s cloud infrastructure for use as leverage for extortion.

    “The threat actor repeatedly leveraged newly acquired credentials to restart discovery, secrets harvesting, persistence, and impact activities,” it said. “The attack relied on familiar cloud techniques rather than novel malware or zero-days.”

    “The threat actor was not exploiting a single misconfiguration; they were chaining weaknesses across application services, AWS resources, source-control repositories, CI/CD workflows, runtime components, and data stores, while rapidly executing credential discovery, secrets harvesting, cloud enumeration, deployment-pipeline abuse, runtime modification, database access, and operational disruption.”

    Cybersecurity

    The attacker, per Sygnia, entailed repeated attempts to establish persistence on the compromised hosts, obtaining the access key to one of the AWS accounts through shortcomings in an internet-facing application. Each new access was followed by renewed enumeration, additional secret collection, persistence attempts by creating access keys and IAM users, and data exfiltration. At the same time, several attacker-created artifacts were masked as a pentest or a red teaming exercise.

    To further exert pressure on victims, the attacker performed a series of actions –

    • Denying access to S3 buckets
    • Limiting ECS services or containers to a maximum capacity of zero
    • Creating ACL rules to block network access
    • Purging SQS queues

    “The significance was not that AI introduced new attack techniques, as every observed action mapped to long-established adversary behaviors, but that it reduced the time and effort required to operationalize those techniques across a complex environment,” Sygnia pointed out.

    “The threat actor repeatedly converted newly obtained access into tailored action. For each new access key, the actor appeared to quickly determine the associated permissions, reachable resources, and most valuable next steps.”

    active AIGenerated attacker directory map PowerShell script suspected
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleHealth Officials in Michigan Identify ‘Potential Source’ of Cyclospora Outbreak
    Next Article The Open 2026 tee times: Full R1 groupings and start times for opening round of men’s major at Royal Birkdale | Golf News
    admin
    • Website

    Related Posts

    The Case for Combining Autonomous AI with Analyst Copilots

    July 14, 2026

    Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

    July 13, 2026

    Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

    July 13, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Wall Street ‘Super Tuesday’ gives a flavour of earnings to come

    Okta, Inc. (OKTA) Discusses Technology Vision and Identity Security Strategy Transcript

    Health equity is a social justice issue

    ‘Kylian is fine’: France ready, full-strength for Spain World Cup semifinal | World Cup 2026

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by