AI-Coded Malware Used for Active Directory Enumeration and Exfiltration
A threat actor was observed in early June 2026 using AI-generated PowerShell scripts for Active Directory enumeration and then deploying s5cmd for data exfiltration after gaining initial access via RDP, indicating a shift towards AI-augmented tradecraft for rapid and aggressive campaigns.
In early June 2026, unnamed threat actors were observed utilizing AI-generated PowerShell scripts, referred to as "vibe-coded" malware, to execute Active Directory (AD) enumeration during an incident. This new approach enables cybercriminals to rapidly develop bespoke, single-use scripts, shifting the threat landscape by prioritizing aggression and speed over stealth. The observed attack initiated with RDP access to a domain-joined Windows Server, followed by the deployment of a custom PowerShell script (Untitled1.ps1) for AD reconnaissance and subsequent use of s5cmd.exe for potential data exfiltration and SharpShares.exe for further share enumeration. This incident highlights the evolving nature of cyberattacks, where AI augmentation accelerates traditional attack chains, making it crucial for defenders to focus on detecting fundamental attack behaviors rather than solely relying on signatures of known tooling.
Attack Chain
- Initial Access: A threat actor established RDP access on a domain-joined Windows Server using pre-compromised credentials, with context suggesting initial access via a VPN.
- Tool Staging: The attacker created a staging directory within
C:\ProgramData\to store and operate their toolsets. - AI-Generated Reconnaissance Script Deployment: An AI-generated PowerShell script,
C:\ProgramData\Untitled1.ps1, was deployed to the staging directory. - Active Directory Enumeration: The
Untitled1.ps1script was executed to perform aggressive Active Directory enumeration, identifying domain controllers and mapping users, computers, and domains. - Data Collection and Reporting: The
Untitled1.ps1script proceeded to create a directory, export collected AD information into various files, and generate anAD_Report.htmlto summarize the enumeration process. - Data Exfiltration Preparation/Execution:
C:\ProgramData\s5cmd.exe, a legitimate Amazon S3 command-line tool known for data exfiltration, was deployed and likely executed for high-speed data transfer. - Secondary Network Discovery:
SharpShares.exe, a known enumeration tool, was deployed and executed to hunt for further user-accessible data repositories by filtering common administrative shares.
Impact
The observed incident involved a compromise of a domain-joined Windows Server, leading to extensive Active Directory enumeration and subsequent data exfiltration attempts. If successful, such attacks can rapidly lead to deeper network compromise, privilege escalation, and significant data loss, enabling further damaging campaigns by threat actors who prioritize aggression and speed over stealth. The use of AI-generated, single-use scripts makes traditional signature-based detections less effective, increasing the risk of successful exploitation and prolonged dwell times before detection.
Recommendation
- Enable and analyze PowerShell script block logging (Event ID 4104) to activate the detection rules for AD enumeration.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious tool execution and PowerShell activity from non-standard locations like
C:\ProgramData\. - Implement robust RDP security controls, including multi-factor authentication and strong password policies, to prevent initial access via compromised credentials, as described in the initial access stage.
- Monitor for process creation events originating from
C:\ProgramData\for executables likes5cmd.exeandSharpShares.exe. - Continuously monitor for suspicious Active Directory enumeration commands, especially when executed by non-administrative accounts or from unusual processes, as detailed in the detection rules.
Detection coverage 3
Detect Suspicious Tool Execution from C_ProgramData
highDetects the execution of known attacker tools (s5cmd.exe, SharpShares.exe) from the C:\ProgramData\ directory, a common staging area for adversaries.
Detect PowerShell Script Execution from C_ProgramData
mediumDetects PowerShell or pwsh.exe executing a script from the C:\ProgramData\ directory, often used by attackers as a staging area.
Detect Suspicious PowerShell Active Directory Enumeration
mediumDetects the execution of multiple Active Directory enumeration commands via PowerShell, as observed with AI-generated reconnaissance scripts.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
4
filename
3
filepath
| Type | Value |
|---|---|
| filename | Untitled1.ps1 |
| filename | s5cmd.exe |
| filename | SharpShares.exe |
| filepath | C:\ProgramData\Untitled1.ps1 |
| filepath | C:\ProgramData\s5cmd.exe |
| filepath | C:\ProgramData\SharpShares.exe |
| filename | AD_Report.html |