Attacker Uses AI-Written PowerShell Script to Map a Company's Network
Researchers say an unknown intruder ran a script that looks machine-generated to catalogue users, computers and domain controllers inside a Windows network.

Key points
- Researchers found an intrusion where an unknown attacker ran a PowerShell script that appears to have been written with the help of an AI coding assistant.
- The script mapped Active Directory, the central directory Windows networks use to manage staff accounts and computers.
- It located the Domain Controller, listed users, computers and domains, and saved the results into a file called AD_Report.html.
- The findings were first reported by The Hacker News, and point to a wider trend of attackers using AI to draft their tools.
- Defenders are being urged to watch for unusual PowerShell activity and unexpected directory queries from ordinary user accounts.
Security researchers have flagged an intrusion that gives a rare look at how attackers are starting to use AI to write their own hacking tools.
In this case, the intruder ran a PowerShell script inside a victim's Windows network. PowerShell is a built-in scripting tool that comes with every modern version of Windows and is often used by IT staff for routine admin work. That familiarity is exactly why attackers like it.
What caught the researchers' attention was the shape of the code. It read less like something a seasoned hacker would hand-write and more like something produced by an AI coding assistant: heavy comments, tidy variable names, defensive error handling in places a human attacker would not usually bother.
What did the script actually do?
It quietly took a full inventory of the victim's network.
The script first located the Domain Controller, the central server that holds the master list of accounts and computers in a Windows network. From there it queried Active Directory, the directory service that keeps track of who is who inside an organisation.
It then pulled lists of users, computers and domains, created a working folder, and exported the results into a series of files. The final step was a summary file called AD_Report.html, which the attacker could open in a browser to check whether the enumeration had worked.
In plain terms, the intruder printed themselves a map of the building before deciding which doors to try.
Why this matters even if you have never heard of PowerShell
Mapping the network is usually one of the first moves in a serious intrusion. Once an attacker knows which accounts have admin rights and where the sensitive servers live, everything that follows, moving between machines, stealing data, deploying ransomware, becomes much easier.
The AI angle matters too. Writing a working Active Directory enumeration script used to take real skill. If less experienced criminals can now ask a chatbot to draft one for them, the barrier to entry drops. The Hacker News, which surfaced the research, noted that the code carried the hallmarks of AI-assisted development rather than a polished, hand-crafted intrusion tool.
Researchers did not publicly attribute the activity to a named group.
What defenders should be looking for
The activity leaves fingerprints, if anyone is watching.
Ordinary user accounts should almost never be running bulk Active Directory queries or writing HTML reports to disk. Security teams can look for PowerShell launching from unusual locations, sudden bursts of directory lookups from a single workstation, and any process creating files named like reports or dumps in a user's temp folder.
Turning on PowerShell script block logging, which records what scripts actually do when they run, makes this kind of behaviour much easier to spot after the fact.
Should ordinary staff worry?
Not directly, but they are still the front door.
Attackers typically get the initial foothold through a phishing email or a stolen password, not through the enumeration script itself. That script only runs once the intruder is already inside. So the practical advice for staff is unchanged: be sceptical of unexpected login prompts, use multi-factor authentication where offered, and report anything odd to IT quickly. The earlier someone notices, the less time the attacker has to draw their map.



