T1059.010 AutoHotKey & AutoIT Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AutoITPatterns = dynamic([
  "AutoIt3.exe", "AutoIt", ".au3",
  "#include <Inet.au3>", "#include <File.au3>",
  "ShellExecute(", "RunWait(", "Run(",
  "FileInstall(", "DllCall(", "_WinHttpSimpleRequest",
  "ProcessClose(", "RegWrite(", "RegRead(",
  "@ScriptDir", "@TempDir", "@AppDataDir"
]);
let AHKPatterns = dynamic([
  "AutoHotkey.exe", "AutoHotkey", ".ahk",
  "Send,", "SendInput,", "SendRaw,",
  "RunWait,", "Run,", "WinActivate,",
  "FileAppend,", "URLDownloadToFile,",
  "DllCall(", "RegWrite,", "RegRead,",
  "Hotkey,", "SetKeyDelay,"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("AutoIt3.exe", "AutoHotkey.exe", "AutoHotkeyU64.exe", "AutoHotkeyU32.exe")
    or ProcessCommandLine has_any (AutoITPatterns)
    or ProcessCommandLine has_any (AHKPatterns)
| extend IsAutoIT = FileName =~ "AutoIt3.exe" or ProcessCommandLine has ".au3"
| extend IsAHK = FileName has "AutoHotkey" or ProcessCommandLine has ".ahk"
| extend ScriptFromTemp = ProcessCommandLine has_any ("\\Temp\\", "\\tmp\\", "%TEMP%", "AppData")
| extend NetworkActivity = ProcessCommandLine has_any ("URLDownloadToFile", "_WinHttpSimpleRequest", "Inet")
| extend KeyLogging = ProcessCommandLine has_any ("Hotkey,", "SetKeyDelay,", "Send,", "SendInput,")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsAutoIT, IsAHK, ScriptFromTemp, NetworkActivity, KeyLogging
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT departments using AutoIT for legitimate desktop automation and software deployment scripts
AutoHotKey users with custom keyboard shortcuts and text expansion macros
Software testing teams using AutoIT for GUI test automation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\AutoIt3.exe" OR Image="*\\AutoHotkey.exe" OR Image="*\\AutoHotkeyU64.exe" OR Image="*\\AutoHotkeyU32.exe" OR CommandLine="*.au3*" OR CommandLine="*.ahk*")
| eval IsAutoIT=if(match(Image, "AutoIt3\.exe$") OR match(CommandLine, "\.au3"), 1, 0)
| eval IsAHK=if(match(Image, "AutoHotkey") OR match(CommandLine, "\.ahk"), 1, 0)
| eval ScriptFromTemp=if(match(CommandLine, "(\\Temp\\|\\tmp\\|%TEMP%|AppData)"), 1, 0)
| eval NetworkActivity=if(match(CommandLine, "(URLDownloadToFile|_WinHttpSimpleRequest|Inet)"), 1, 0)
| eval DllCall=if(match(CommandLine, "DllCall\("), 1, 0)
| eval SuspicionScore=ScriptFromTemp*2 + NetworkActivity*2 + DllCall*2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsAutoIT, IsAHK, ScriptFromTemp, NetworkActivity, DllCall, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT departments using AutoIT for legitimate desktop automation
AutoHotKey users with custom keyboard shortcuts
Software testing teams using AutoIT for GUI test automation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name in~ ("AutoIt3.exe", "AutoHotkey.exe", "AutoHotkeyU64.exe", "AutoHotkeyU32.exe") or
    process.args : ("*.au3", "*.ahk") or
    process.command_line : ("*AutoIt*", "*AutoHotkey*", "*.au3*", "*.ahk*")
  )
  | eval is_autoit = process.name == "AutoIt3.exe" or process.command_line like "*.au3*"
  | eval is_ahk = process.name like "*AutoHotkey*" or process.command_line like "*.ahk*"
  | eval script_from_temp = process.command_line like "*\\Temp\\*" or process.command_line like "*AppData*" or process.command_line like "*%TEMP%*"
  | eval network_activity = process.command_line like "*URLDownloadToFile*" or process.command_line like "*_WinHttpSimpleRequest*" or process.command_line like "*Inet*"
  | eval key_logging = process.command_line like "*Hotkey,*" or process.command_line like "*SetKeyDelay,*" or process.command_line like "*SendInput,*"
  | eval dll_call = process.command_line like "*DllCall(*"
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Winlogbeat Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT automation scripts using AutoHotKey for keyboard remapping, window management, or productivity automation deployed by the IT department
AutoIT-based software installers or legitimate application automation tools used by helpdesk or operations teams
Software testing frameworks and QA automation pipelines that use AutoIT or AutoHotKey for GUI testing of Windows applications

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN "Image" ILIKE '%AutoIt3.exe' OR "CommandLine" ILIKE '%.au3%' THEN 1
    ELSE 0
  END AS is_autoit,
  CASE
    WHEN "Image" ILIKE '%AutoHotkey%' OR "CommandLine" ILIKE '%.ahk%' THEN 1
    ELSE 0
  END AS is_ahk,
  CASE
    WHEN "CommandLine" ILIKE '%\Temp\%' OR "CommandLine" ILIKE '%AppData%' OR "CommandLine" ILIKE '%\tmp\%' THEN 2
    ELSE 0
  END AS temp_score,
  CASE
    WHEN "CommandLine" ILIKE '%URLDownloadToFile%' OR "CommandLine" ILIKE '%_WinHttpSimpleRequest%' OR "CommandLine" ILIKE '%Inet%' THEN 2
    ELSE 0
  END AS network_score,
  CASE
    WHEN "CommandLine" ILIKE '%DllCall(%' THEN 2
    ELSE 0
  END AS dll_score,
  CASE
    WHEN "CommandLine" ILIKE '%URLDownloadToFile%' OR "CommandLine" ILIKE '%_WinHttpSimpleRequest%' OR "CommandLine" ILIKE '%Inet%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" ILIKE '%\Temp\%' OR "CommandLine" ILIKE '%AppData%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" ILIKE '%DllCall(%' THEN 2
    ELSE 0
  END AS suspicion_score
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'A new process has been created')
  AND (
    "Image" ILIKE '%AutoIt3.exe'
    OR "Image" ILIKE '%AutoHotkey.exe'
    OR "Image" ILIKE '%AutoHotkeyU64.exe'
    OR "Image" ILIKE '%AutoHotkeyU32.exe'
    OR "CommandLine" ILIKE '%.au3%'
    OR "CommandLine" ILIKE '%.ahk%'
  )
  AND devicetime > (NOW() - 86400000)
ORDER BY suspicion_score DESC, devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM Windows Event Log DSM

Required Tables

events

False Positives

Enterprise automation tools built on AutoHotKey for standardized workflows across the organization such as form-filling bots or data entry automation
AutoIT-packaged legitimate software that bundles the AutoIT runtime as part of its installer or runtime environment
Security tools or pentest frameworks that use AutoHotKey for UI automation during authorized assessments

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID = "1" or EventCode = "4688"
| where Image matches "*AutoIt3.exe" or Image matches "*AutoHotkey.exe" or Image matches "*AutoHotkeyU64.exe" or Image matches "*AutoHotkeyU32.exe" or CommandLine matches "*.au3*" or CommandLine matches "*.ahk*"
| eval is_autoit = if(Image matches "*AutoIt3.exe" or CommandLine matches "*.au3*", 1, 0)
| eval is_ahk = if(Image matches "*AutoHotkey*" or CommandLine matches "*.ahk*", 1, 0)
| eval script_from_temp = if(CommandLine matches "*\\Temp\\*" or CommandLine matches "*\\tmp\\*" or CommandLine matches "*AppData*", 1, 0)
| eval network_activity = if(CommandLine matches "*URLDownloadToFile*" or CommandLine matches "*_WinHttpSimpleRequest*" or CommandLine matches "*Inet*", 1, 0)
| eval dll_call = if(CommandLine matches "*DllCall(*", 1, 0)
| eval key_logging = if(CommandLine matches "*Hotkey,*" or CommandLine matches "*SetKeyDelay,*" or CommandLine matches "*SendInput,*" or CommandLine matches "*Send,*", 1, 0)
| eval suspicion_score = (script_from_temp * 2) + (network_activity * 2) + (dll_call * 2) + (key_logging * 2)
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, is_autoit, is_ahk, script_from_temp, network_activity, dll_call, key_logging, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows Windows Security Event Log Windows Event Log Collector

Required Tables

windows/sysmon windows/security

False Positives

Legitimate productivity automation scripts distributed by IT that use AutoHotKey for remapping keys or automating repetitive desktop tasks
Application packaging solutions that compile AutoIT scripts into EXEs for software distribution across the enterprise
Automated testing pipelines for Windows GUI applications that rely on AutoIT or AutoHotKey for driving the user interface during QA

Google Chronicle / SecOps

yaral

rule autoit_ahk_execution_t1059_010 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects AutoIT and AutoHotKey script execution indicative of MITRE ATT&CK T1059.010. Covers DarkGate, Lumma Stealer, APT39, and XLoader TTPs."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.010"
    reference = "https://attack.mitre.org/techniques/T1059/010/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(AutoIt3\.exe|AutoHotkey\.exe|AutoHotkeyU64\.exe|AutoHotkeyU32\.exe)$`) or
      re.regex($e.target.process.command_line, `(?i)(AutoIt3\.exe|AutoHotkey|AutoIt|AutoHotkeyU)`) or
      re.regex($e.target.process.command_line, `(?i)\.(au3|ahk)(\s|$|"|')`) or
      re.regex($e.target.process.command_line, `(?i)(URLDownloadToFile|_WinHttpSimpleRequest|ShellExecute\(|FileInstall\(|DllCall\()`) or
      re.regex($e.target.process.command_line, `(?i)(Hotkey,|SetKeyDelay,|SendInput,|SendRaw,|Send,)`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)(\\Temp\\|\\tmp\\|AppData)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(URLDownloadToFile|_WinHttpSimpleRequest|Inet\.au3)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)DllCall\(`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(Hotkey,|SetKeyDelay,|SendInput,)`), 20, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)(AutoIt3\.exe|AutoHotkey)`), 10, 0)
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score > 20
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Events via Chronicle forwarder Sysmon via Chronicle

Required Tables

process_events UDM

False Positives

IT automation tooling built on AutoHotKey for service desk workflows including automated form submission or ticketing system integrations
Software deployment pipelines that use AutoIT-compiled executables to automate silent installations of applications across the enterprise fleet
Security awareness or red team training exercises where AutoIT/AHK scripts are intentionally executed in controlled environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /AutoIt3\.exe|AutoHotkey\.exe|AutoHotkeyU64\.exe|AutoHotkeyU32\.exe/i
  OR CommandLine = /\.au3/i
  OR CommandLine = /\.ahk/i
  OR CommandLine = /URLDownloadToFile|_WinHttpSimpleRequest|ShellExecute\(|FileInstall\(|DllCall\(/i
  OR CommandLine = /Hotkey,|SetKeyDelay,|SendInput,|SendRaw,|Send,/i
| eval IsAutoIT := FileName = /AutoIt3\.exe/i OR CommandLine = /\.au3/i
| eval IsAHK := FileName = /AutoHotkey/i OR CommandLine = /\.ahk/i
| eval ScriptFromTemp := CommandLine = /\\Temp\\|\\tmp\\|AppData|%TEMP%/i
| eval NetworkActivity := CommandLine = /URLDownloadToFile|_WinHttpSimpleRequest|Inet/i
| eval DllCall := CommandLine = /DllCall\(/i
| eval KeyLogging := CommandLine = /Hotkey,|SetKeyDelay,|SendInput,|SendRaw,/i
| eval SuspicionScore := (if(ScriptFromTemp, 2, 0)) + (if(NetworkActivity, 2, 0)) + (if(DllCall, 2, 0)) + (if(KeyLogging, 2, 0))
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsAutoIT, IsAHK, ScriptFromTemp, NetworkActivity, DllCall, KeyLogging, SuspicionScore])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon ProcessRollup2 events

Required Tables

ProcessRollup2

False Positives

Legitimate helpdesk or IT automation scripts using AutoHotKey for repetitive administrative tasks such as log review automation or ticket management
Software bundled with AutoIT runtime for legitimate application installation or update workflows distributed through the corporate software catalog
Developer workstations running AutoIT or AutoHotKey IDE environments for script development and testing purposes

AutoHotKey & AutoIT

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections