Detect AutoHotKey & AutoIT in CrowdStrike LogScale
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks such as clicking buttons, entering text, and managing programs. Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code, deploy keyloggers, and deliver phishing payloads. These scripts can be compiled into self-contained executables. Threat actors including DarkGate, Lumma Stealer, APT39, and XLoader have leveraged AutoIT and AutoHotKey for malware delivery and execution.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.010 AutoHotKey & AutoIT
- Canonical reference
- https://attack.mitre.org/techniques/T1059/010/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /AutoIt3\.exe|AutoHotkey\.exe|AutoHotkeyU64\.exe|AutoHotkeyU32\.exe/i
OR CommandLine = /\.au3/i
OR CommandLine = /\.ahk/i
OR CommandLine = /URLDownloadToFile|_WinHttpSimpleRequest|ShellExecute\(|FileInstall\(|DllCall\(/i
OR CommandLine = /Hotkey,|SetKeyDelay,|SendInput,|SendRaw,|Send,/i
| eval IsAutoIT := FileName = /AutoIt3\.exe/i OR CommandLine = /\.au3/i
| eval IsAHK := FileName = /AutoHotkey/i OR CommandLine = /\.ahk/i
| eval ScriptFromTemp := CommandLine = /\\Temp\\|\\tmp\\|AppData|%TEMP%/i
| eval NetworkActivity := CommandLine = /URLDownloadToFile|_WinHttpSimpleRequest|Inet/i
| eval DllCall := CommandLine = /DllCall\(/i
| eval KeyLogging := CommandLine = /Hotkey,|SetKeyDelay,|SendInput,|SendRaw,/i
| eval SuspicionScore := (if(ScriptFromTemp, 2, 0)) + (if(NetworkActivity, 2, 0)) + (if(DllCall, 2, 0)) + (if(KeyLogging, 2, 0))
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsAutoIT, IsAHK, ScriptFromTemp, NetworkActivity, DllCall, KeyLogging, SuspicionScore])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)Detects AutoIT and AutoHotKey script execution using CrowdStrike Falcon ProcessRollup2 events. Identifies executions of AutoIT3.exe and AutoHotkey interpreter variants as well as command-line patterns indicating .au3/.ahk script invocation, network download functions, DLL calls, and keylogging API usage consistent with T1059.010 threat actor behavior from DarkGate, Lumma Stealer, and APT39.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate helpdesk or IT automation scripts using AutoHotKey for repetitive administrative tasks such as log review automation or ticket management
- Software bundled with AutoIT runtime for legitimate application installation or update workflows distributed through the corporate software catalog
- Developer workstations running AutoIT or AutoHotKey IDE environments for script development and testing purposes
Other platforms for T1059.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AutoHotKey Script Execution
Expected signal: Sysmon Event ID 1: Process Create for AutoHotkey.exe with .ahk file in CommandLine. Sysmon Event ID 11: File Create for the .ahk script in Temp directory.
- Test 2AutoIT Script Execution
Expected signal: Sysmon Event ID 1: Process Create for AutoIt3.exe with .au3 file in CommandLine. Sysmon Event ID 11: File Create for the .au3 script in Temp directory.
- Test 3AutoIT Compiled Executable Detection
Expected signal: Sysmon Event ID 1: PowerShell process creation. The script scans for compiled AutoIT executables by checking PE metadata.
References (5)
- https://attack.mitre.org/techniques/T1059/010/
- https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html
- https://www.autoitscript.com/autoit3/docs/intro/running.htm
- https://www.autohotkey.com/docs/v1/Program.htm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.010/T1059.010.md
Unlock Pro Content
Get the full detection package for T1059.010 including response playbook, investigation guide, and atomic red team tests.