1. Home
  2. Techniques
  3. Enterprise
  4. Command and Scripting Interpreter
  5. AutoHotKey & AutoIT

Command and Scripting Interpreter: AutoHotKey & AutoIT

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI
T1059.009 Cloud API
T1059.010 AutoHotKey & AutoIT

Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.[1][2]

Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.[3]

These scripts may also be compiled into self-contained executable payloads (.exe).[1][2]

ID: T1059.010
Sub-technique of:  T1059
Tactic: Execution
Platforms: Windows
Contributors: @_montysecurity; Liran Ravich, CardinalOps; Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International; Serhii Melnyk, Trustwave SpiderLabs; TruKno
Version: 1.0
Created: 29 March 2024
Last Modified: 28 April 2024
Version Permalink

Procedure Examples

ID Name Description
G0087 APT39

APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.[4]
S1111 DarkGate

DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as test.au3.[5]
S0530 Melcoz

Melcoz has been distributed through an AutoIt loader script.[6]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Use application control to prevent execution of AutoIt3.exe, AutoHotkey.exe, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of malicious execution. Compare recent invocations of AutoIt3.exe and AutoHotkey.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands).
DS0009 Process Process Creation

Monitor and analyze the execution and arguments of the AutoIt3.exe and AutoHotkey.exe interpreters. Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if AutoHotkey.exe is the parent process for additional suspicious processes and activity.

References

  1. AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.
  2. AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024.
  3. Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.
  1. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  2. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  3. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.