T1059.010 Google Chronicle · YARA-L

Detect AutoHotKey & AutoIT in Google Chronicle

Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks such as clicking buttons, entering text, and managing programs. Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code, deploy keyloggers, and deliver phishing payloads. These scripts can be compiled into self-contained executables. Threat actors including DarkGate, Lumma Stealer, APT39, and XLoader have leveraged AutoIT and AutoHotKey for malware delivery and execution.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.010 AutoHotKey & AutoIT
Canonical reference
https://attack.mitre.org/techniques/T1059/010/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule autoit_ahk_execution_t1059_010 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects AutoIT and AutoHotKey script execution indicative of MITRE ATT&CK T1059.010. Covers DarkGate, Lumma Stealer, APT39, and XLoader TTPs."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.010"
    reference = "https://attack.mitre.org/techniques/T1059/010/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(AutoIt3\.exe|AutoHotkey\.exe|AutoHotkeyU64\.exe|AutoHotkeyU32\.exe)$`) or
      re.regex($e.target.process.command_line, `(?i)(AutoIt3\.exe|AutoHotkey|AutoIt|AutoHotkeyU)`) or
      re.regex($e.target.process.command_line, `(?i)\.(au3|ahk)(\s|$|"|')`) or
      re.regex($e.target.process.command_line, `(?i)(URLDownloadToFile|_WinHttpSimpleRequest|ShellExecute\(|FileInstall\(|DllCall\()`) or
      re.regex($e.target.process.command_line, `(?i)(Hotkey,|SetKeyDelay,|SendInput,|SendRaw,|Send,)`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)(\\Temp\\|\\tmp\\|AppData)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(URLDownloadToFile|_WinHttpSimpleRequest|Inet\.au3)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)DllCall\(`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(Hotkey,|SetKeyDelay,|SendInput,)`), 20, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)(AutoIt3\.exe|AutoHotkey)`), 10, 0)
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score > 20
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting AutoIT and AutoHotKey execution aligned with T1059.010. Uses UDM PROCESS_LAUNCH events to identify executions of AutoIT/AHK interpreters or commands containing scripting patterns associated with malicious use. Risk scoring elevates alerts when temp-path execution, network download, DLL injection, or keylogging patterns are present.

Data Sources

Google Chronicle UDMWindows Endpoint Events via Chronicle forwarderSysmon via Chronicle

Required Tables

process_events UDM

False Positives & Tuning

  • IT automation tooling built on AutoHotKey for service desk workflows including automated form submission or ticketing system integrations
  • Software deployment pipelines that use AutoIT-compiled executables to automate silent installations of applications across the enterprise fleet
  • Security awareness or red team training exercises where AutoIT/AHK scripts are intentionally executed in controlled environments
Download portable Sigma rule (.yml)

Other platforms for T1059.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AutoHotKey Script Execution

    Expected signal: Sysmon Event ID 1: Process Create for AutoHotkey.exe with .ahk file in CommandLine. Sysmon Event ID 11: File Create for the .ahk script in Temp directory.

  2. Test 2AutoIT Script Execution

    Expected signal: Sysmon Event ID 1: Process Create for AutoIt3.exe with .au3 file in CommandLine. Sysmon Event ID 11: File Create for the .au3 script in Temp directory.

  3. Test 3AutoIT Compiled Executable Detection

    Expected signal: Sysmon Event ID 1: PowerShell process creation. The script scans for compiled AutoIT executables by checking PE metadata.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1056.001KeyloggingT1027.002Software PackingT1566.001Spearphishing AttachmentT1204.002Malicious FileT1106Native API

Same Tactic: Execution

Popular Detections