Skip to content
feed: live
>_ 0dayNews
threat intel

Huntress Flags Suspected AI-Written PowerShell in AD Case

Huntress attributes an early-June AD enumeration case to a PowerShell script with clear LLM tells — cyan-and-green banners and 'FULLY FIXED' in the title.

Huntress Flags Suspected AI-Written PowerShell in AD Case
Photo: Simon Kozhin / Wikimedia Commons · CC BY-SA 3.0
fuse Marisol "Fuse" Delgado · Published · 3 min read

Huntress’ Jevon Ang and Dray Agha published an intrusion analysis reported by The Hacker News on 2026-07-13 that ties an early-June engagement to a PowerShell Active Directory enumeration script that reads less like an operator’s private tooling and more like a chat log with a large language model. The researchers flagged four tells in the source: a prompt-iteration title, placeholder strings left in the file, over-engineered code “that features multiple methods to find a Domain Controller,” and beautified console output in cyan, green, red, and yellow. The script’s own caption was 100% Working AD Information Gathering Script - FULLY FIXED — the kind of thing you type when you’re pasting a fix back into a chat window, not when you’re shipping tooling.

The script itself is only interesting insofar as it worked. It located the Domain Controller, mapped users, computers, and domains, and harvested groups, organizational units, and trusts. Output landed as CSVs and a summary AD_Report.html, staged under C:\ProgramData\ and archived for exfiltration. Two off-the-shelf helpers ran alongside it: s5cmd, a legitimate S3 CLI, for bulk file operations, and SharpShares, a public C# share-enumeration utility. No CVE, no threat-actor attribution, no victim named — Huntress is transparent about all three.

Why this matters more than the “AI-generated!” headline

Two things.

One, the tradecraft is unchanged. AD enumeration has been the same shape since BloodHound went public: locate the DC, walk users, computers, groups, OUs, and trusts, ship the results. What changed is who can write the tooling. When the barrier to a working AD-enum harness drops from “read a book” to “iterate with a chatbot for an afternoon,” the population of people running it goes up. That is the trend line to plan against, not any one script.

Two, the artifacts are still artifacts. AD_Report.html sitting in C:\ProgramData\ alongside s5cmd and SharpShares is a fingerprint of the run regardless of who wrote the harness. Signature-based response to any one variant misses the next one — behavior-based detection on the enumeration pattern catches both.

Here’s what to actually do

  • Alert on Domain Controller discovery from user workstations. DCLocator sequences, LDAP against RootDSE, and Get-ADDomainController from a non-tiered-admin session are the exact primitive Huntress’ script started with. Sysmon event 22 (DnsQuery for _ldap._tcp.dc._msdcs.*), event 4662 on the DC, and PowerShell script-block logging (Event ID 4104) are the three log sources that make this visible on the endpoint. If your fleet is not fielding this class of query today, that is the first gap to close.
  • Detect SharpShares first, then family. SharpShares is public offensive tooling with a well-known assembly hash and process-tree shape (.NET Framework launcher, share enumeration, output to a single file). If you already have a Sigma or YARA rule for it, verify it fires against the current release. If you don’t, add it. Same guidance for BloodHound, SharpHound, AdRecon, and PingCastle when they run under an account that never asked for change control.
  • Flag CSV or HTML dumps written to C:\ProgramData\ by short-lived scripts. Huntress’ actor used it as staging — attackers pick that path because it is world-writable and less-scrutinized than user profile directories. A rule that fires on non-installer processes writing .csv or .html under C:\ProgramData\ catches a lot more than this one campaign.
  • Baseline s5cmd usage. It is a legitimate S3 tool with legitimate operator use. If nobody in your environment runs it, that is easy. If somebody does, that is a conversation. Either way, know before you are reading someone else’s writeup.

Priority

Domain Controller discovery telemetry first. It is the same detection lane every AD-enum variant walks through, LLM-written or not, and the highest-leverage single check you can add against Huntress’ script and everything shaped like it. SharpShares signatures and the C:\ProgramData\ staging rule layer on top. Do not chase this specific PowerShell script — the next one will pick different colors and a different title, and both of those are cheap to iterate on when the person writing the script is talking to a chatbot.

The honest read: this is not the first attacker-written LLM output researchers have caught, and it will not be the last. The story is the population, not the sample. If your AD-enumeration detections were credible against a competent human operator last month, they will still be credible against a vibe-coded harness this month. If they were not, this is the reminder to fix that.

Sourcing

Found this useful? Share it.