Skip to content
Threat Feed
high advisory

AI-Coded Malware Used for Active Directory Enumeration and Exfiltration

A threat actor was observed in early June 2026 using AI-generated PowerShell scripts for Active Directory enumeration and then deploying s5cmd for data exfiltration after gaining initial access via RDP, indicating a shift towards AI-augmented tradecraft for rapid and aggressive campaigns.

In early June 2026, unnamed threat actors were observed utilizing AI-generated PowerShell scripts, referred to as "vibe-coded" malware, to execute Active Directory (AD) enumeration during an incident. This new approach enables cybercriminals to rapidly develop bespoke, single-use scripts, shifting the threat landscape by prioritizing aggression and speed over stealth. The observed attack initiated with RDP access to a domain-joined Windows Server, followed by the deployment of a custom PowerShell script (Untitled1.ps1) for AD reconnaissance and subsequent use of s5cmd.exe for potential data exfiltration and SharpShares.exe for further share enumeration. This incident highlights the evolving nature of cyberattacks, where AI augmentation accelerates traditional attack chains, making it crucial for defenders to focus on detecting fundamental attack behaviors rather than solely relying on signatures of known tooling.

Attack Chain

  1. Initial Access: A threat actor established RDP access on a domain-joined Windows Server using pre-compromised credentials, with context suggesting initial access via a VPN.
  2. Tool Staging: The attacker created a staging directory within C:\ProgramData\ to store and operate their toolsets.
  3. AI-Generated Reconnaissance Script Deployment: An AI-generated PowerShell script, C:\ProgramData\Untitled1.ps1, was deployed to the staging directory.
  4. Active Directory Enumeration: The Untitled1.ps1 script was executed to perform aggressive Active Directory enumeration, identifying domain controllers and mapping users, computers, and domains.
  5. Data Collection and Reporting: The Untitled1.ps1 script proceeded to create a directory, export collected AD information into various files, and generate an AD_Report.html to summarize the enumeration process.
  6. Data Exfiltration Preparation/Execution: C:\ProgramData\s5cmd.exe, a legitimate Amazon S3 command-line tool known for data exfiltration, was deployed and likely executed for high-speed data transfer.
  7. Secondary Network Discovery: SharpShares.exe, a known enumeration tool, was deployed and executed to hunt for further user-accessible data repositories by filtering common administrative shares.

Impact

The observed incident involved a compromise of a domain-joined Windows Server, leading to extensive Active Directory enumeration and subsequent data exfiltration attempts. If successful, such attacks can rapidly lead to deeper network compromise, privilege escalation, and significant data loss, enabling further damaging campaigns by threat actors who prioritize aggression and speed over stealth. The use of AI-generated, single-use scripts makes traditional signature-based detections less effective, increasing the risk of successful exploitation and prolonged dwell times before detection.

Recommendation

  • Enable and analyze PowerShell script block logging (Event ID 4104) to activate the detection rules for AD enumeration.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious tool execution and PowerShell activity from non-standard locations like C:\ProgramData\.
  • Implement robust RDP security controls, including multi-factor authentication and strong password policies, to prevent initial access via compromised credentials, as described in the initial access stage.
  • Monitor for process creation events originating from C:\ProgramData\ for executables like s5cmd.exe and SharpShares.exe.
  • Continuously monitor for suspicious Active Directory enumeration commands, especially when executed by non-administrative accounts or from unusual processes, as detailed in the detection rules.

Detection coverage 3

Detect Suspicious Tool Execution from C_ProgramData

high

Detects the execution of known attacker tools (s5cmd.exe, SharpShares.exe) from the C:\ProgramData\ directory, a common staging area for adversaries.

sigma tactics: collection, discovery, execution, exfiltration techniques: T1005, T1041, T1059, T1087, T1135 sources: process_creation, windows

Detect PowerShell Script Execution from C_ProgramData

medium

Detects PowerShell or pwsh.exe executing a script from the C:\ProgramData\ directory, often used by attackers as a staging area.

sigma tactics: defense_evasion, execution techniques: T1036.005, T1059.001 sources: process_creation, windows

Detect Suspicious PowerShell Active Directory Enumeration

medium

Detects the execution of multiple Active Directory enumeration commands via PowerShell, as observed with AI-generated reconnaissance scripts.

sigma tactics: discovery techniques: T1018, T1069.001, T1069.002, T1087.001, T1087.002 sources: powershell, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

4

filename

3

filepath

TypeValue
filenameUntitled1.ps1
filenames5cmd.exe
filenameSharpShares.exe
filepathC:\ProgramData\Untitled1.ps1
filepathC:\ProgramData\s5cmd.exe
filepathC:\ProgramData\SharpShares.exe
filenameAD_Report.html