title: "AutoHotKey & AutoIT (T1059.010)"
id: df00tech-t1059-010
status: experimental
description: "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks such as clicking buttons, entering text, and managing programs. Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code, deploy keyloggers, and deliver phishing payloads. These scripts can be compiled into self-contained executables. Threat actors including DarkGate, Lumma Stealer, APT39, and XLoader have leveraged AutoIT and AutoHotKey for malware delivery and execution."
references:
  - https://attack.mitre.org/techniques/T1059/010/
  - https://df00tech.com/detections/T1059.010
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT departments using AutoIT for legitimate desktop automation and software deployment scripts
  - AutoHotKey users with custom keyboard shortcuts and text expansion macros
  - Software testing teams using AutoIT for GUI test automation
level: medium