Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| TimeWindow | Tuning this helps identify automation behavior outside expected user work hours. |
| ParentProcessName | Used to isolate cases where AHK or AutoIT scripts are spawned by suspicious or unusual processes. |
| ScriptExtension | Extensions such as .ahk, .au3, or unknown .exe names compiled from these. |
| ChildProcessCount | Threshold for number of spawned children to detect automation or modular malware behavior. |