PT Application Firewall

A web application firewall

T1059.010: AutoHotKey & AutoIT

Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.

Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.

These scripts may also be compiled into self-contained executable payloads (.exe).

Positive Technologies products that cover the technique

Detection

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor and analyze the execution and arguments of the AutoIt3.exe and AutoHotkey.exe interpreters. Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if AutoHotkey.exe is the parent process for additional suspicious processes and activity.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of malicious execution. Compare recent invocations of AutoIt3.exe and AutoHotkey.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands).

Mitigation

IDM1038NameExecution PreventionDescription

Use application control to prevent execution of AutoIt3.exe, AutoHotkey.exe, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries.