Threat actors are now using AI (vibe coding) to generate bespoke PowerShell scripts for Active Directory reconnaissance, bypassing traditional signature-based detection. Huntress analysts recovered and dissected a real AI-generated AD enumeration script (Untitled1.ps1) used in a June 2026 incident. The script exhibits clear LLM hallmarks: a 'FULLY FIXED' title from iterative prompting, an unedited placeholder server name, over-engineered five-method DC discovery, repetitive try/catch blocks, and excessive colorful console output. The script systematically dumps AD users, computers, groups, OUs, subnets, and trusts into CSVs, generates an HTML summary report, and zips everything for exfiltration. The key detection implication: since vibe-coded scripts are unique per generation, hash and static signature detection fails. Defenders must pivot to behavioral analytics targeting the underlying AD interaction patterns that AI cannot obscure.
Nguồn: https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
Living-off-the-land (LoTL) attacks abuse legitimate tools like PowerShell, WMI, and RMM software to blend in with normal IT activity. Five key warning signs distinguish malicious use from routine admin work: the tool appearing in unexpected hands, activity originating from unusual machines, abnormal process chains, subtly off command-line syntax, and follow-on behaviors like reconnaissance or lateral movement. Defenders should pressure-test suspicious activity by examining who used the tool, where it ran, how it launched, and what happened next. Preventive measures include better process chain visibility, stronger admin activity logging, tighter control over high-risk tools, and eliminating dormant accounts and legacy systems.
Kerberoasting is an Active Directory attack that abuses the Kerberos protocol to steal service account passwords. Any authenticated domain user can request a TGS ticket for any SPN, then crack it offline using tools like Hashcat. The attack is popular because it requires no special privileges and doesn't trigger account lockouts. Detection relies on monitoring Windows Event ID 4769 for anomalous SPN requests or RC4 ticket requests. Defenses include migrating service accounts to Group Managed Service Accounts (gMSA), enforcing AES256 encryption, using long randomly generated passwords, auditing SPN assignments, and deploying honeypot accounts to catch reconnaissance early.
Elastic Security Labs has uncovered a banking malware campaign (REF6045) targeting Mexican financial sector customers using ClickFix social engineering. Victims are lured to fake CAPTCHA pages and tricked into pasting malicious PowerShell commands into the Windows Run dialog. The installed SCMBANKER toolkit establishes persistence, captures keystrokes, monitors banking sessions, manipulates clipboard contents, and can deploy remote access software. Researchers also found evidence of LLM-assisted malware development. Recommended defenses include user training on fake CAPTCHA recognition, restricting PowerShell and Windows Run dialog usage, and deploying EDR solutions.
Elastic Security Labs details REF6045, a Mexican banking fraud operation deploying SCMBANKER — a PowerShell toolkit delivered via ClickFix fake-CAPTCHA pages. Once installed, the operator-assisted toolkit enables banking session monitoring, vishing overlays, browser redirects to phishing pages, clipboard hijacking of CLABE account numbers and card numbers, screenshot capture, keylogging, and silent installation of Remote Utilities for full remote access. The toolkit shows strong signs of AI-assisted development: LLM-generated code artifacts including heavy banner comments, self-documenting obfuscation, and profanity-laced comments in sensitive modules suggest the operator prompted a Spanish-language LLM for most functional scripts. Significant OPSEC failures — open directories, an exposed full web-root archive, and an unauthenticated file editor — allowed full recovery of the operation's tooling. The post includes MITRE ATT&CK mappings, IOCs, and Elastic detection rules.
Socket researchers uncovered Operation 'Muck and Load', a malware campaign that began with a malicious Go module impersonating a DNS/subdomain scanner. The module embedded hidden PowerShell execution that downloaded encrypted payloads from public dead-drop services (Pastebin, YouTube, Instagram, Telegram), ultimately deploying AsyncRAT, Quasar, Remcos RATs, Vidar infostealer, and Monero cryptominers via password-protected archives. Pivoting from the initial module revealed a GitHub lure network of 222 confirmed repositories across 190 accounts, all using automated commit-farming GitHub Actions workflows to appear active and legitimate. The repositories targeted users seeking crypto tools, wallet utilities, game cheats, and offensive tooling. At least 14 confirmed malware files were found across the network. The malicious Go module has been blocked from the Go module proxy, and GitHub has been notified. The campaign overlaps with previously reported ischhfd83-linked repository-backdoor activity.
BadSuccessor is a privilege escalation vulnerability in Windows Server 2025 affecting Delegated Managed Service Accounts (dMSAs). A low-privileged user with CreateChild rights on an Organizational Unit can create a dMSA, link it to a Domain Administrator account via the msDS-ManagedAccountPrecededByLink attribute, and set the migration state to 'Completed'. The KDC then injects the Domain Admin's SIDs into the Kerberos ticket PAC, effectively granting Domain Admin privileges without needing the admin's password. The post covers the vulnerability mechanics, the missing permission check flaw, and provides step-by-step proof-of-concept exploitation using SharpSuccessor and Rubeus on Windows, and bloodyAD with impacket on Kali Linux.
Windows Event Viewer generates thousands of log entries but buries actionable errors in noise, making it nearly useless for most users. By exporting logs via PowerShell — including WHEA hardware errors, disk/NTFS warnings, Task Scheduler, and System/Application logs — and feeding them to Claude with a targeted prompt, it's possible to surface real problems. In one session, Claude identified a faulty USB drive causing data loss, escalating UPS overload alarms, and MSI Center exhausting UDP ports and causing intermittent network issues — all issues that had been silently logged but never noticed.
A writer who covers automation spent a week using Claude Code to clean up their chaotic Windows 11 PC. The experiment covered organizing a Downloads folder by file content (not just extension), auditing startup entries and scheduled tasks, performing disk forensics to find stale VMs and LLM model files, and batch-renaming screenshots using vision capabilities. The key insight is that AI agents handle ambiguous, judgment-heavy tasks that traditional scripts cannot — like reading a PDF to determine where it belongs. The author shares the actual prompts used throughout, emphasizes a dry-run-first, human-approval workflow to avoid accidental data loss, and notes the prompts can be reused with local LLMs.