AI Is Changing Cybercrime: How Hackers Are Using ChatGPT-Style Tools to Build Custom Active Directory Attack Scripts + Video

Listen to this Post

Featured ImageIntroduction: The New Era of AI-Assisted Cyber Attacks

Artificial intelligence has transformed the way software is created, businesses operate, and security teams defend networks. However, the same technology that helps developers write code faster is now becoming a powerful assistant for cybercriminals. A recent incident investigated by Huntress shows a worrying evolution: attackers are no longer limited to downloading public hacking tools. Instead, they can ask AI models to generate custom attack scripts tailored to their targets.

The discovery highlights a major shift in cybersecurity. The threat actor behind this incident did not create an advanced hacking framework from scratch, nor did they use a famous offensive security toolkit. Instead, they used a freshly generated PowerShell script designed to explore a victim’s Active Directory environment. The code was messy, overly detailed, and filled with signs that an AI model had helped produce it.

The attack itself was not revolutionary. It followed a familiar cybercrime pattern: stolen credentials, remote access through RDP, internal reconnaissance, and data theft. But AI changed the speed and accessibility of the operation. A person with limited technical knowledge could now generate a tool capable of performing tasks that previously required much deeper expertise.

This incident represents a growing cybersecurity concern: AI does not need to create completely new attack methods to be dangerous. It only needs to make existing methods faster, cheaper, and easier to execute.

Huntress Investigation Reveals AI-Generated PowerShell Recon Tool

During an incident response investigation on June 3, 2026, Huntress analyst Jevon Ang discovered a suspicious PowerShell script running on a compromised Windows Server. The script was designed to gather detailed information about the victim’s Active Directory environment.

Unlike traditional malware samples, the script was not copied from public repositories, underground forums, or known hacking frameworks. It appeared to be custom-generated specifically for the attack.

Researchers recovered the script through PowerShell Script Block Logging, specifically Event ID 4104 inside the Microsoft-Windows-PowerShell/Operational log.

The script carried an unusual internal name:

“100% Working AD Information Gathering Script – FULLY FIXED”

That title immediately attracted attention. Security researchers believe it strongly suggests the attacker interacted with an AI model, repeatedly requested fixes, tested the output, and eventually copied the generated code into a file without cleaning up the AI-generated artifacts.

The saved filename was:

Untitled1.ps1

This is another strong indicator. It resembles the default naming behavior when someone copies code from an AI chat interface, places it into a text editor, and saves it without manually organizing the file.

The Attack Chain Was Traditional, But AI Made It Faster

Although AI played a role in creating the script, the actual attack method remained familiar.

The attacker first gained access through compromised RDP credentials. After entering the environment, they placed tools inside:

C:ProgramData

Within minutes, the attacker executed the custom PowerShell reconnaissance script.

The script collected valuable information about the internal network, including:

Active Directory users

Computers

Groups

Organizational Units

Domain trusts

DNS subnet information

Network structure

Email-related user information

The collected information was saved into timestamped CSV files under:

C:AD_Reports_

Later, the attacker deployed:

s5cmd.exe

A legitimate Amazon S3 command-line utility that has increasingly been abused by attackers for transferring stolen data.

The attacker also used:

SharpShares.exe

to search for additional network shares and possible data repositories.

This sequence follows a common cybercriminal playbook:

Gain access.

Discover the environment.

Identify valuable information.

Collect files.

Move stolen data externally.

The difference is that AI helped generate the reconnaissance capability much faster.

AI Fingerprints Found Inside the Malicious Script

Security researchers identified several signs that suggested AI involvement.

One of the strongest indicators was the way the script attempted to locate the domain controller.

The script used five different discovery methods:

DNS lookup

nltest

Active Directory PowerShell module

Environment variables

Hardcoded fallback value

A human developer usually selects one or two reliable methods.

An AI model, however, often tries to satisfy every possible requirement by generating multiple approaches.

A request like:

“Make sure the script always finds the domain controller”

could easily cause an AI assistant to produce an overly complicated solution containing every method it knows.

Huntress described this behavior as a clear AI-generated pattern.

The script even contained a hardcoded example:

$dc = "Server1.HR.local"

This was likely an AI-generated placeholder that the attacker failed to remove.

The value probably never activated because previous discovery methods would succeed. However, leaving it behind revealed the development process behind the attack.

The Strange Case of the AI-Generated HTML Report

One of the most unusual parts of the script was its final reporting stage.

Instead of simply collecting data and compressing it, the script generated a complete HTML summary report.

The output was designed to look organized and professional.

For defenders, this detail was fascinating because it appeared unnecessary for the attacker’s actual mission.

A traditional threat actor would likely collect the information, compress it, and transfer it.

The HTML report looked more like something an AI assistant added after interpreting a request such as:

“Create a complete Active Directory audit script with reporting.”

The AI did not understand that the attacker did not need a beautiful report. It simply generated additional functionality.

After creating the HTML summary, the script compressed the collected information into an archive.

The result was essentially an AI-assisted hacking tool with a polished reporting interface.

Why AI-Generated Malware Creates New Security Challenges

Traditional security tools often rely on known indicators:

File hashes

Malware signatures

Known command patterns

Reputation databases

However, AI-generated scripts create a major problem.

A threat actor can generate a new script for every victim.

The file may never appear anywhere else.

There is no previous sample.

There is no known hash.

There is no traditional signature.

A security solution searching for yesterday’s malware may completely miss tomorrow’s AI-generated attack.

This means cybersecurity defenses must evolve.

The question is no longer:

Have we seen this exact file before?

The better question is:

Is this behavior normal inside this environment?

Deep Analysis: Detecting AI-Assisted Active Directory Attacks

Modern defenders should focus on behavior rather than code appearance.

A suspicious PowerShell sequence could include:

Get-ADUser -Filter 

followed by:

Get-ADComputer -Filter 

and:

Export-Csv C:\AD_Reports\users.csv

Large-scale Active Directory enumeration should immediately raise attention.

Security teams can monitor PowerShell logging:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational"

Look specifically for:

Event ID 4104

because this records executed PowerShell script blocks.

Administrators can enable enhanced PowerShell logging:

Set-ItemProperty <code>Path HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging</code>
Name EnableScriptBlockLogging `

Value 1

Network defenders should also monitor suspicious archive creation:

Compress-Archive

or commands creating ZIP files inside temporary directories.

Example suspicious behavior:

C:ProgramDatatool.exe

|

PowerShell AD enumeration

|

CSV exports

|

ZIP archive creation

|

External cloud upload

This attack chain is detectable regardless of whether the attacker wrote the code manually or received help from an AI model.

AI Lowers the Barrier for Cybercriminals

The biggest concern is not that AI creates magical hacking tools.

The real danger is accessibility.

Previously, an attacker needed:

Programming knowledge

Security experience

Understanding of Windows internals

Knowledge of Active Directory

Now, AI can provide guidance, explain errors, rewrite scripts, and improve functionality.

A beginner attacker can experiment faster.

An experienced attacker can automate more work.

The result is a wider pool of people capable of launching dangerous attacks.

This creates a cybersecurity environment where defenders must assume that attackers have access to advanced development assistance.

What Undercode Say:

AI is not replacing hackers, but it is becoming a powerful force multiplier.

The Huntress investigation demonstrates that the future of cybercrime may not be dominated by complex malware.

Instead, attackers may increasingly rely on simple, customized tools generated instantly.

The traditional idea of malware detection is becoming weaker.

A unique AI-generated PowerShell script may never appear again after one attack.

Security teams cannot depend only on previous samples.

Behavior analysis becomes the most important defensive layer.

The attacker in this incident did not create a revolutionary exploit.

They used stolen credentials and common tools.

The dangerous improvement came from speed.

AI allowed them to build reconnaissance capabilities quickly after gaining access.

This changes the economics of cybercrime.

Less-skilled attackers can attempt more advanced operations.

Experienced attackers can increase their efficiency.

The same AI technology helping companies automate tasks is also reducing the effort needed to conduct malicious operations.

Organizations should prepare for a future where every attacker has an AI assistant.

The question is no longer whether AI will appear in cyber attacks.

It already has.

The important question is whether defenders can detect the actions behind the AI-generated code.

A malicious script can change every time.

The behavior pattern usually cannot.

Active Directory enumeration remains suspicious.

Unexpected PowerShell activity remains suspicious.

Large-scale data collection remains suspicious.

Cloud uploads from unusual systems remain suspicious.

Security teams should invest more in:

Endpoint detection

Identity monitoring

PowerShell visibility

Behavioral analytics

Zero Trust architecture

AI-generated attacks require AI-era defenses.

The winner of the next cybersecurity battle will not be the side with the most powerful tools.

It will be the side that understands behavior faster.

Prediction

(+1) AI-assisted cyber attacks will continue growing as attackers discover that custom-generated tools are faster and harder to detect than traditional malware. Organizations that invest in behavioral security monitoring will gain a major advantage. 🚀

(+1) Security platforms will increasingly focus on identifying suspicious actions rather than searching only for known malware signatures. AI-powered defense systems will become a critical part of enterprise protection. ✅

(-1) Companies that continue relying only on antivirus signatures and outdated detection methods will face increasing risks as attackers generate unique scripts for every target. ⚠️

✅ Huntress documented the discovery of a custom PowerShell Active Directory reconnaissance script recovered through PowerShell Script Block Logging Event ID 4104.

✅ The attack chain involving RDP access, Active Directory discovery, data collection, and abuse of legitimate tools matches known modern intrusion techniques.

✅ The evidence strongly supports AI-assisted code generation, but detecting AI-written code alone is unreliable. The strongest defense remains behavioral monitoring and threat detection based on actions.

▶️ Related Video (74% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube