Huntress Flags Suspected AI-Written PowerShell in AD Case
Huntress attributes an early-June AD enumeration case to a PowerShell script with clear LLM tells — cyan-and-green banners and 'FULLY FIXED' in the title.
Huntress’ Jevon Ang and Dray Agha published an intrusion analysis
reported by The Hacker News on 2026-07-13
that ties an early-June engagement to a PowerShell Active Directory
enumeration script that reads less like an operator’s private tooling
and more like a chat log with a large language model. The researchers
flagged four tells in the source: a prompt-iteration title, placeholder
strings left in the file, over-engineered code “that features multiple
methods to find a Domain Controller,” and beautified console output in
cyan, green, red, and yellow. The script’s own caption was
100% Working AD Information Gathering Script - FULLY FIXED — the kind
of thing you type when you’re pasting a fix back into a chat window,
not when you’re shipping tooling.
The script itself is only interesting insofar as it worked. It located
the Domain Controller, mapped users, computers, and domains, and
harvested groups, organizational units, and trusts. Output landed as
CSVs and a summary AD_Report.html, staged under C:\ProgramData\ and
archived for exfiltration. Two off-the-shelf helpers ran alongside it:
s5cmd, a legitimate S3 CLI, for bulk file operations, and
SharpShares, a public C# share-enumeration utility. No CVE, no
threat-actor attribution, no victim named — Huntress is transparent
about all three.
Why this matters more than the “AI-generated!” headline
Two things.
One, the tradecraft is unchanged. AD enumeration has been the same shape since BloodHound went public: locate the DC, walk users, computers, groups, OUs, and trusts, ship the results. What changed is who can write the tooling. When the barrier to a working AD-enum harness drops from “read a book” to “iterate with a chatbot for an afternoon,” the population of people running it goes up. That is the trend line to plan against, not any one script.
Two, the artifacts are still artifacts. AD_Report.html sitting in
C:\ProgramData\ alongside s5cmd and SharpShares is a fingerprint
of the run regardless of who wrote the harness. Signature-based
response to any one variant misses the next one — behavior-based
detection on the enumeration pattern catches both.
Here’s what to actually do
- Alert on Domain Controller discovery from user workstations.
DCLocator sequences, LDAP against
RootDSE, andGet-ADDomainControllerfrom a non-tiered-admin session are the exact primitive Huntress’ script started with. Sysmon event 22 (DnsQueryfor_ldap._tcp.dc._msdcs.*), event 4662 on the DC, and PowerShell script-block logging (Event ID 4104) are the three log sources that make this visible on the endpoint. If your fleet is not fielding this class of query today, that is the first gap to close. - Detect
SharpSharesfirst, then family. SharpShares is public offensive tooling with a well-known assembly hash and process-tree shape (.NET Frameworklauncher, share enumeration, output to a single file). If you already have a Sigma or YARA rule for it, verify it fires against the current release. If you don’t, add it. Same guidance forBloodHound,SharpHound,AdRecon, andPingCastlewhen they run under an account that never asked for change control. - Flag CSV or HTML dumps written to
C:\ProgramData\by short-lived scripts. Huntress’ actor used it as staging — attackers pick that path because it is world-writable and less-scrutinized than user profile directories. A rule that fires on non-installer processes writing.csvor.htmlunderC:\ProgramData\catches a lot more than this one campaign. - Baseline
s5cmdusage. It is a legitimate S3 tool with legitimate operator use. If nobody in your environment runs it, that is easy. If somebody does, that is a conversation. Either way, know before you are reading someone else’s writeup.
Priority
Domain Controller discovery telemetry first. It is the same detection
lane every AD-enum variant walks through, LLM-written or not, and the
highest-leverage single check you can add against Huntress’ script and
everything shaped like it. SharpShares signatures and the
C:\ProgramData\ staging rule layer on top. Do not chase this specific
PowerShell script — the next one will pick different colors and a
different title, and both of those are cheap to iterate on when the
person writing the script is talking to a chatbot.
The honest read: this is not the first attacker-written LLM output researchers have caught, and it will not be the last. The story is the population, not the sample. If your AD-enumeration detections were credible against a competent human operator last month, they will still be credible against a vibe-coded harness this month. If they were not, this is the reminder to fix that.
Related coverage
- Sophos: Coding Agents Are Tripping the Attacker Detections — same signal from the defender side: LLM-driven code behaves attacker-like on EDR by construction.
- Three Evilginx Crews, One Forgotten Bash History — a different lane of the same commodity-tooling, low-barrier-to-entry story.
Sourcing
- Huntress — intrusion analysis by Jevon Ang and Dray Agha, referenced in The Hacker News.
- The Hacker News — Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory, 2026-07-13.
Found this useful? Share it.


