Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.[1][2]
Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.[3]
These scripts may also be compiled into self-contained executable payloads (.exe).[1][2]
| ID | Name | Description |
|---|---|---|
| G0087 | APT39 |
APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.[4] |
| S1111 | DarkGate |
DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as |
| S1213 | Lumma Stealer |
Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.[6][7] |
| S0530 | Melcoz |
Melcoz has been distributed through an AutoIt loader script.[8] |
| S1017 | OutSteel |
OutSteel was developed using the AutoIT scripting language.[9] |
| S1207 | XLoader |
XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.[10] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Use application control to prevent execution of |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0332 | Detection Strategy for AutoHotKey & AutoIT Abuse | AN0942 |
Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events. |