Security researchers have identified an intrusion campaign using an AI-generated PowerShell script to enumerate and map Active Directory environments. The attacker deployed the script to discover domain controllers, enumerate users and computers, and extract domain information before generating an HTML report documenting the reconnaissance activity.

The script's structure and coding patterns indicated machine generation rather than manual authorship, suggesting the threat actor leveraged large language models to automate the reconnaissance phase. This approach reduces development time and allows attackers with limited scripting expertise to execute sophisticated domain mapping operations.

Active Directory enumeration represents a critical early-stage attack technique. By mapping AD environments, threat actors identify high-value targets, user roles, administrative accounts, and network topology. The attacker's creation of an AD_Report.html file signals completion of the reconnaissance phase, typically preceding lateral movement, privilege escalation, or data exfiltration.

Organizations using Windows environments face direct exposure. Compromised credentials, unpatched systems, or successful phishing campaigns grant attackers initial access, after which AD enumeration unfolds rapidly. The use of PowerShell, a native Windows administration tool, evades many endpoint detection systems because it operates with legitimate system privileges.

The incident reflects a broader trend of attackers integrating AI-generated code into attack chains. These tools accelerate offensive capability development and lower technical barriers for threat actors. Detection becomes harder when scripts lack distinctive signatures or manual authorship patterns.

Defenders should implement these controls: restrict PowerShell execution policies, enable PowerShell logging and transcription across all systems, monitor for Active Directory enumeration activities like GetDomain and GetComputer operations, deploy multifactor authentication to protect high-privilege accounts, and segment networks to limit lateral movement after reconnaissance. Endpoint detection and response (EDR) solutions should flag unusual PowerShell activity originating from non-administrative users or unexpected processes. Regular AD audits reveal unauthorized access patterns