Description
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.(Citation: Splunk DarkGate)
These scripts may also be compiled into self-contained executable payloads (.exe).(Citation: AutoIT)(Citation: AutoHotKey)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (1)
Execution PreventionM1038
Use application control to prevent execution of AutoIt3.exe, AutoHotkey.exe, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.(Citation... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has utilized AutoIt malware scripts and AutoIt executables.(Citation: Qualys LummaStealer 202... |
| S0530 | Melcoz | Malware | [Melcoz](https://attack.mitre.org/software/S0530) has been distributed through an AutoIt loader script.(Citation: Securelist Brazilian Banking Malware... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on ... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) was developed using the AutoIT scripting language.(Citation: Palo Alto Unit 42 OutSteel SaintBot F... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as `tes... |
Related CWE Weaknesses
References
- AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024.
- AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.
- Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.
Frequently Asked Questions
What is T1059.010 (AutoHotKey & AutoIT)?
T1059.010 is a MITRE ATT&CK technique named 'AutoHotKey & AutoIT'. It belongs to the Execution tactic(s). Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows t...
How can T1059.010 be detected?
Detection of T1059.010 (AutoHotKey & AutoIT) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.010?
There are 1 documented mitigations for T1059.010. Key mitigations include: Execution Prevention.
Which threat groups use T1059.010?
Known threat groups using T1059.010 include: APT39.