On June 3, 2026, a threat actor breaking into a network reached for an Active Directory reconnaissance script that an AI assistant had written on demand. (Source: Infosecurity-Magazine)
Key Insight: Huntress recovered and rebuilt the tool, which the attacker had titled "100% Working AD Information Gathering Script - FULLY FIXED." The name itself gives away its origins: a back-and-forth with a large language model, with error messages pasted in until the code finally ran.
Active Directory is the directory service that manages user accounts, group memberships, computers and trust relationships across most Windows networks. It is where identity and access decisions live, which is exactly why an attacker maps it first. If someone can enumerate your AD, they know who the privileged users are, which machines matter, and how your domains connect—the layout they need to plan the rest of the intrusion.
That is what the vibe-coded script did once it ran. It located the domain controller, then harvested users, computers, groups and trusts into spreadsheets, and finally generated an HTML report summarizing what it had collected. The domain controller is the server that authenticates logins and enforces policy across the environment, so reconnaissance that starts there gives an attacker a full picture of your organization's identity structure.
The script carried several AI fingerprints Huntress flagged as tells:
- A placeholder server name the model supplied as an example, copied across without editing.
- Over-engineering—five separate fallback methods to find the domain controller where a human would pick one.
- A fondness for colorful console output and the auto-generated report the researchers believed the model added on its own.
The takeaway for IT and security leadership is that AD reconnaissance is not a minor early step you can shrug off. It is the foundation an attacker builds the rest of the intrusion on, and vibe coding now lets less-skilled actors produce a working enumeration tool without knowing how to write one themselves.
How the Attack Chain Exploits AD Enumeration
The attack begins the moment the vibe-coded PowerShell script executes on a compromised host. Its first job is finding the domain controller, and it does so through five separate fallback methods rather than settling on one. That over-engineering is itself a behavioral indicator: a human author picks a single reliable technique, while an AI assistant chains redundant approaches to cover every failure case. For SOC analysts, seeing sequential domain controller discovery attempts from a single process is worth a second look.
Once the controller is located, the script pulls a broad slice of the directory. According to Huntress, it harvested Active Directory users, computers, groups, and trust relationships and wrote them into spreadsheets. It then produced an HTML report summarizing what it collected—a formatting touch the researchers attributed to the LLM adding polish on its own.
This maps cleanly to MITRE ATT&CK reconnaissance techniques: account discovery (T1087), domain trust discovery (T1482), permission groups discovery (T1069), and remote system discovery (T1018). The business consequence is that the attacker now holds a map of who has access to what, which computers exist, and how domains trust each other—exactly the information needed to plan lateral movement and privilege escalation without guessing.
Trust relationship data matters most here. Trust enumeration reveals paths into connected domains and forests, which means a foothold in one environment can become a route into partner or subsidiary networks that share authentication.
The intrusion reached this stage the ordinary way. Huntress reported the attacker logged in over RDP with stolen credentials (T1078, valid accounts; T1021.001, remote services), then staged tooling in a common Windows folder before running the reconnaissance script. Staging in a standard directory is deliberate—it blends with legitimate files and reduces the chance a path stands out in a quick review.
After reconnaissance, the attacker turned to data collection and exfiltration using legitimate utilities. SharpShares enumerates accessible network shares across the domain, extending the recon picture to where files actually live. s5cmd, a fast command-line client for S3-compatible cloud storage, then moved data out to attacker-controlled storage.
Both are the point defenders should focus on. These are known, legitimate tools, so their presence is not inherently malicious—but s5cmd transferring large volumes to external cloud endpoints, or SharpShares walking every share in sequence, is behavior that stands apart from normal administrative activity. This is living-off-the-land tradecraft: the technique hides in the reputation of legitimate software.
"Vibe coding lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable, evasive tooling on the fly," Huntress said.
That evasiveness is why "fully fixed" versions circulating in the wild remain dangerous. Because each script is generated on demand, it is unique—the file hashes and signatures antivirus tools rely on were, in Huntress's words, useless against it. Two attackers prompting an assistant for the same capability will produce different code that does the same thing.
For threat hunters, that shifts the useful indicators away from static file artifacts and toward behavior. The actions do not change even when the code does: a single process discovering the domain controller through multiple methods, bulk enumeration of users, groups, and trusts, output written to spreadsheets and HTML in a staging folder, RDP logins from unexpected sources, SharpShares fanning across network shares, and s5cmd pushing data to cloud storage. Those sequences hold regardless of what the underlying script looks like.
Business and Operational Impact of AD Compromise
When an attacker enumerates your Active Directory environment, they are not stealing a single database or one machine's contents. They are mapping the control plane for every user account, every server, and every trust relationship your organization depends on to authenticate people and grant access.
That is the core of the problem for you as a CISO or business continuity lead. A domain-level compromise touches every system joined to that domain. The reconnaissance harvested in this incident—user accounts, computers, group memberships, and trust relationships—hands the attacker a blueprint of where privileged accounts live and which paths lead to your most sensitive data.
With that map in hand, an intruder can plan lateral movement (moving from the first compromised host to others across the network) without guessing. They already know which accounts hold domain admin rights and which servers are worth reaching. This shortens the time between initial access and full domain control.
The asymmetry works against you. The attacker in this case needed one working set of stolen credentials over RDP to get a foothold. You, by contrast, have to protect every endpoint, every service account, and every trust link—because any one of them becomes the next stepping stone once the directory is mapped.
Consider what a mapped directory enables next:
- Wholesale credential exposure across the domain, since directory enumeration reveals account names, group memberships, and privileged roles that can be targeted for theft or reuse.
- Ransomware deployment at scale, because knowing the domain controller and high-value systems lets an operator push encryption to the machines that hurt most.
- Data exfiltration using trusted tooling, as seen when the attacker used the utility SharpShares and the cloud tool s5cmd to move data—traffic that blends in with legitimate cloud activity.
The compliance consequences follow the scope of the breach. If the mapped directory governs access to systems holding cardholder data, patient records, or financial reporting controls, a domain compromise can put you in violation of PCI-DSS, HIPAA, or SOX obligations. Regulators and auditors treat unauthorized access to identity infrastructure as a material event because it undermines the access controls those frameworks require.
Recovery from a domain-wide compromise is rarely quick. Once you cannot trust that identity infrastructure is clean, the safe assumption is that any account could be compromised, which drives credential resets, forced re-authentication, and forensic review across the estate. That work translates into extended operational disruption and the cost of engaging incident response while normal business slows.
That lowered barrier changes your risk calculus. You are no longer only facing well-resourced groups; a mediocre attacker can now generate one-off directory reconnaissance tooling on demand. The intrusion itself still followed the same smash-and-grab pattern—stolen credentials, staged tools, network scouting—but the population of actors able to run that playbook is wider than before.
For your planning, the takeaway is scope. Treat any confirmed Active Directory enumeration as a domain-level incident affecting every joined system and user, not an isolated host event, and size your response and recovery efforts to that blast radius.
Detection and Forensic Indicators for AD Information Gathering Activity
The most valuable action you can take is to enable and retain PowerShell Script Block Logging (Event ID 4104) across every domain-joined host, because the vibe-coded reconnaissance script Huntress recovered left no reusable file hash to match against. Signature-based antivirus was useless here—the script was one of a kind and unlikely to reappear in the same form. What it cannot hide is the behavior it executes, and PowerShell logging captures that behavior in full.
Following the NIST Cybersecurity Framework, the detection work below focuses on what to hunt for across your last 30 and 90 days of telemetry, on the assumption that a similar intrusion may already have happened.
Start by confirming which hosts actually forward the logs that matter. If Script Block Logging and process-creation auditing are not being written and shipped to your SIEM, you have no record of the very activity this attack generates. Prioritize domain controllers, jump hosts, and any server reachable over RDP.
For detection, three log sources carry the signal:
- Event ID 4104 (Script Block Logging): Hunt for script blocks referencing directory enumeration—strings tied to user, computer, group, and trust queries within a single execution. The recovered script pulled all of these in one run, which is unusual for legitimate administrative scripting.
- Event ID 4688 (Process Creation): Look for
powershell.exespawning from a common Windows staging folder rather than a known admin console, and for the exfiltration utilities s5cmd and SharpShares appearing on hosts that have no business running them. - Event ID 5156 (Windows Filtering Platform): Flag outbound connections from PowerShell or those two utilities to cloud storage endpoints, which is how the staged data left the environment.
The strongest single indicator is sequential domain controller discovery from one process—repeated LDAP binds and multiple location attempts in quick succession. A legitimate script asks once. Monitor Directory Service events on your domain controllers for a burst of broad LDAP queries reading user, group, and trust objects from a single source in a short window.
In Splunk, a starting point is to search 4104 events for enumeration keywords and correlate them against 4688 process ancestry:
index=windows EventCode=4104 ScriptBlockText IN ("*Get-ADUser*","*Get-ADComputer*","*Get-ADTrust*") | stats count by host, ScriptBlockText
In Elastic, pivot on process.name:"powershell.exe" where the parent process is not a recognized management tool, then join to network events showing cloud-storage destinations. Extend both queries across 90 days; RDP logins with stolen credentials often precede the reconnaissance by days or weeks.
Also hunt the file system directly. The script wrote its harvested directory data into spreadsheets and produced an HTML summary report. Search staging directories on servers for recently created CSV, XLSX, and HTML files that map to Active Directory contents—these artifacts persist after execution and confirm what the attacker collected.
Because the tooling changes with every prompt, identity behavior is the durable place to catch this. In environments Capstone manages, Adlumin monitors authentication patterns and flags the RDP login anomaly and the credential reuse that opened this intrusion, before the enumeration stage runs. Detection here is not about recognizing a file—it is about recognizing that one account suddenly began reading the entire directory. That pattern holds no matter how the underlying script is written.
Immediate Response and Containment Actions
The moment you confirm unauthorized RDP access with stolen credentials, disconnect the affected host from the network rather than powering it off. Pulling the network cable or isolating the endpoint through your EDR agent stops any active enumeration or staging while keeping volatile memory and running processes intact for forensics. Powering down destroys evidence you will need to scope the intrusion.
Once the host is isolated, force a password reset on the compromised account and any account that authenticated from the same source during the session. Since this attack started with a valid login, the exposed credential is your immediate pivot point—reset it before the attacker uses it elsewhere.
Identify
Start your account audit with the highest-value objects first, because the reconnaissance script pulled group memberships and trust relationships that show attackers exactly which accounts to target next:
- Domain Admins and Enterprise Admins — confirm no new members were added and no dormant accounts were re-enabled during or after June 3, 2026.
- Service accounts with elevated privileges — these are frequent targets because they often carry high permissions and stale passwords. Check for interactive logons, which service accounts should rarely perform.
- Accounts with delegation rights or membership in built-in privileged groups such as Account Operators and Backup Operators.
Cross-reference these findings against the account used for the initial RDP session to understand the attacker's reach.
Protect
After the immediate resets, restrict RDP exposure. Require RDP access to go through a jump host or VPN with MFA rather than allowing direct connections to servers, and disable RDP entirely on hosts that do not need it. MFA enforcement on every remote-access path is the control that would have stopped this login from succeeding with a stolen password alone.
Adlumin monitors authentication patterns across managed environments, flagging login anomalies and unusual privileged-account behavior that indicate credentials are being reused after theft.
Respond
Over the next 24 to 72 hours, hunt for persistence and staging beyond the initial script. The attacker staged tooling in a common Windows folder, so review recently created or modified files in shared and temporary directories across affected hosts.
- Audit scheduled tasks, new services, and registry Run keys created since the intrusion window.
- Review recent privileged-account activity: Kerberos ticket requests, new group memberships, and logons to systems the account does not normally touch.
- Check for outbound transfers to cloud storage, since data movement in this incident used legitimate command-line utilities that antivirus treats as benign.
- Re-examine every Active Directory trust relationship the reconnaissance captured, confirming no trust was modified or abused to reach linked domains.
"To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to catch the underlying actions that no LLM can hide," Huntress said.
Recover
Because a domain-level compromise touches identity itself, treat any account exposed during enumeration as untrusted until reset and verified. Where the attacker demonstrated administrative reach, rotate the KRBTGT account password—twice, following the documented interval—to invalidate forged Kerberos tickets an attacker could use for later access.
As you rebuild, move toward a tiered administrative model that separates domain-admin credentials from everyday workstation logons, and adopt a privileged access management approach that issues time-limited, audited access to sensitive accounts. That structure limits how far a single stolen credential can travel the next time an attacker gets in. Document the timeline and gaps from this incident so the same RDP-plus-stolen-credential path cannot be repeated.
Hardening Active Directory Against Reconnaissance and Lateral Movement
The highest-payoff control here is application allow-listing that restricts who can run PowerShell and reconnaissance tools in the first place. Because the AI-generated script left no reusable signature, blocking its execution context matters more than trying to match its contents.
Deploy AppLocker or Windows Defender Application Control (WDAC) to constrain PowerShell to Constrained Language Mode for standard users, allowing full scripting only for accounts that legitimately need it. That single change means an attacker who lands on a workstation with stolen credentials cannot simply drop an enumeration script and run it interactively.
- Block or alert on execution of SharpShares and s5cmd from user-writable directories, since neither belongs in a typical workstation profile and both showed up in this intrusion for share discovery and data movement.
- Restrict PowerShell remoting and WinRM to designated administrative hosts, so directory queries cannot originate from arbitrary endpoints.
- Enforce script signing where feasible, forcing unsigned one-off tools to fail before they enumerate anything.
Reduce what a successful scout can reach
Reconnaissance is a stepping stone, not the end goal. The attacker maps your directory to find privileged accounts and lateral paths, so the next priority is shrinking those paths.
Implement LAPS (Local Administrator Password Solution) so every machine has a unique, rotating local admin password. If each endpoint's local administrator credential is different, an attacker who harvests one cannot reuse it to hop across your fleet — the most common form of lateral movement after AD enumeration.
Network segmentation alone is not enough, and this is where many mid-sized programs over-invest in one control and under-invest in the other. Segmenting VLANs limits reachability, but AD reconnaissance is fundamentally about identity. If credentials are strong, a mapped network is far less useful to the attacker.
Protect the credentials the map points to
Enforce MFA on all administrative and sensitive accounts, including domain admins, service desk accounts, and any account with delegated directory rights. This attack started with a valid login, so the exposed credential — not the script — was the enabling factor.
Pair MFA with Conditional Access policies that evaluate device compliance, sign-in location, and risk level before granting access to privileged resources. Adlumin ITDR monitors authentication patterns across managed environments, flagging anomalous privileged logins and impossible-travel sign-ins that indicate a stolen credential in use before it becomes broad access.
Watch privileged accounts continuously
Monitor use of high-value groups — domain admins, enterprise admins, and accounts with trust-management rights — as a standing baseline, not a one-time audit. Unexpected group membership queries, off-hours privileged authentication, or a service account suddenly running interactive tools all warrant investigation.
For a mid-sized enterprise, the practical order of investment is clear: application allow-listing and MFA first, because they block execution and reuse cheaply; LAPS next, to cap lateral movement; then segmentation and privileged-account monitoring to contain and detect whatever gets through. Each layer lowers the value of the reconnaissance an attacker manages to complete.
Key Takeaway: Treat AD Reconnaissance as a Critical Alert
The most important thing to understand about this incident is what enumeration actually signals. When a directory-mapping script runs successfully against a domain controller, the attacker already has valid access and is now deciding where to strike next. Reconnaissance of this kind is not a passive scan you can log and forget—it is the step that comes before privilege escalation and lateral movement.
Treat any confirmed instance of Active Directory enumeration as an active incident, not a curiosity in your logs. If you find evidence that someone pulled a full inventory of your users, computers, groups, and trust relationships, assume that inventory is already in an attacker's hands and is guiding their next decisions. The value of that data to an intruder is precisely that it removes guesswork from the rest of the intrusion.
The single most important operational shift is to build detection around the behavior of enumeration rather than the file that performs it. As Huntress demonstrated, an AI-generated script leaves no reusable hash, so what you watch for is the activity itself:
- Process creation events showing PowerShell or scripting hosts querying directory data from a single endpoint
- Bursts of LDAP queries that pull broad slices of the directory in a short window
- Use of the PowerShell Active Directory module by accounts that have no operational reason to enumerate the domain
Active Directory is where every authentication and access decision in your Windows environment lives, which makes it the target attackers map first. Any successful enumeration should trigger escalation and a full investigation into how the account was accessed and what the intruder did afterward. The messiness of the tooling does not lower the severity of what its use represents.