Renamed Automation Script Interpreter

  1[metadata]
  2creation_date = "2020/09/01"
  3integration = ["endpoint", "windows", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies renamed automation script interpreter processes, including AutoIt, AutoHotkey, and KIX32. Malware operators
 11may rename these executables to avoid detection.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-crowdstrike.fdr*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Renamed Automation Script Interpreter"
 25risk_score = 73
 26rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902"
 27severity = "high"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Defense Evasion",
 33    "Data Source: Elastic Endgame",
 34    "Resources: Investigation Guide",
 35    "Data Source: Elastic Defend",
 36    "Data Source: Sysmon",
 37    "Data Source: Microsoft Defender XDR",
 38    "Data Source: Crowdstrike"
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.type == "start" and
 45  (
 46   (process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe") or
 47   (process.pe.original_file_name == "AutoHotkey.exe" and not process.name : ("AutoHotkey*.exe", "InternalAHK.exe")) or
 48   (process.pe.original_file_name == "KIX32.EXE" and not process.name : "KIX*.exe" and process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "\\Device\\HarddiskVolume*\\Users\\*.exe", "\\Device\\HarddiskVolume*\\ProgramData\\*.exe"))
 49   )
 50'''
 51
 52note = """## Triage and analysis
 53
 54### Investigating Renamed Automation Script Interpreter
 55#### Possible investigation steps
 56
 57- Which interpreter family and masquerade path did the alert capture?
 58  - Why: the PE original-name/runtime-name mismatch is decisive, and AutoIt, AutoHotkey, and KIX32 have different normal baselines.
 59  - Focus: `process.pe.original_file_name`, `process.name`, `process.executable`, and `process.command_line`.
 60  - Implication: escalate when AutoIt, AutoHotkey, or KIX32 identity is hidden by a misleading name, recent rename, or user-writable path, especially KIX32 under Users or ProgramData; lower suspicion when family, path, and command line fit one stable packaged automation or logon-script bundle.
 61  - Hint: variants may strip PE original-name metadata or run under the expected interpreter name; if path or command line still points to AutoIt, AutoHotkey, or KIX content, keep reviewing lineage and artifacts.
 62
 63- Is the binary identity consistent with a recognized interpreter package or a repackaged copy?
 64  - Focus: `process.hash.sha256`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.executable`.
 65  - Implication: escalate when signer, hash, or path is unknown, untrusted, or inconsistent with AutoIt, AutoHotkey, or KIX32 packaging; lower suspicion only when identity, path, parent, and command line fit one recognized package. Trusted identity does not clear suspicious use.
 66
 67- Does the launch context explain why the interpreter ran under this name?
 68  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.command_line`, `user.id`, and `host.id`.
 69  - Implication: escalate when Office, browsers, archive tools, LOLBins, or unusual admin or service contexts launch it, or when arguments point to hidden A3X, AHK, KIX, or payload execution; lower suspicion when parent, user, host, and arguments match recurring deployment, logon-script, or packaging workflow.
 70
 71- Did the same process stage or touch script or payload artifacts?
 72  - Focus: file events from `host.id` plus `process.entity_id`, and script or payload paths in `process.command_line`. $investigate_0
 73  - Implication: escalate when the process writes, extracts, renames, or runs scriptable or executable content from temp, downloads, user-profile, or share-backed paths, or with internet provenance; lower suspicion when artifacts stay inside one recognized package tree. Missing file telemetry is unresolved, not benign.
 74  - Hint: if `process.entity_id` is absent, recover with `host.id`, `process.pid`, and the tight alert window.
 75
 76- Did the renamed interpreter produce follow-on execution, persistence, or egress?
 77  - Focus: child process events from `process.entity_id`; same-process registry or network activity. $investigate_1 $investigate_2
 78  - Implication: escalate when it spawns shells or script engines, writes autorun or service state, or contacts rare external destinations; lower suspicion when follow-on activity stays inside the same bounded automation task. Missing registry or network telemetry is unresolved, not benign.
 79  - Hint: if `process.entity_id` is absent, recover with `host.id`, `process.pid`, and the tight alert window.
 80
 81- If local findings remain suspicious or unresolved, do related alerts show broader compromise?
 82  - Focus: related alerts for `user.id`, especially masquerading, script-interpreter, persistence, or credential-access activity. $investigate_3
 83  - Hint: compare `host.id` alerts for the same interpreter path, renamed binaries, or adjacent defense-evasion activity. $investigate_4
 84  - Implication: broaden scope when either view shows related masquerading, staging, persistence, or post-compromise behavior; keep local when related alerts are absent and all local evidence fits one stable automation workflow.
 85
 86- Escalate on PE/name mismatch plus suspicious lineage, staging, persistence, egress, or related alerts; close only when path, parent, user, host, artifacts, and activity bind to one stable benign workflow with no contradictions; preserve artifacts and escalate when evidence is mixed or visibility is incomplete.
 87
 88### False positive analysis
 89
 90- Software packaging, endpoint automation, KIX logon-script deployment, or authorized testing can rename AutoIt, AutoHotkey, or KIX32 interpreters inside a stable bundle. Confirm `process.pe.original_file_name`, `process.hash.sha256` or `process.code_signature.subject_name`, `process.executable`, `process.parent.executable`, `process.command_line`, `user.id`, and `host.id` align with one workflow; recovered artifacts or destinations should stay bounded to it, and missing telemetry is not benign evidence.
 91- Before creating an exception, validate the workflow locally and check recurrence for stable anchors: `process.executable`, `process.hash.sha256` or `process.code_signature.subject_name`, `process.parent.executable`, `user.id`, and `host.id`. Build the minimum pattern and avoid exceptions on `process.pe.original_file_name`, `process.name`, or `host.id` alone.
 92
 93### Response and remediation
 94
 95- If confirmed benign, reverse temporary containment and document the exact workflow evidence: interpreter family, executable path, hash or signer, parent executable, user, host, and artifact scope. Create an exception only after that same pattern recurs across prior alerts from this rule.
 96- If suspicious but unconfirmed, preserve the process event, executable copy or hash, parent and child lineage, referenced scripts or payloads, and any recovered registry or destination indicators before containment or cleanup. Apply reversible containment tied to the finding, such as temporary destination restrictions, heightened monitoring, or host isolation only when payload delivery, persistence, or egress risk is meaningful.
 97- If confirmed malicious, preserve the renamed interpreter `process.entity_id`, command line, executable hash or signer, child processes, and recovered artifacts first. Then isolate the affected host when identity, lineage, artifact, persistence, or egress evidence shows active compromise, weighing host criticality before isolation.
 98- Before eradication, scope related users and hosts for the same executable path, parent, script or payload paths, persistence keys, and destinations so cleanup does not destroy evidence needed to understand spread.
 99- Quarantine the renamed interpreter, associated scripts, and extracted support files identified during triage; remove only persistence or launcher artifacts confirmed in this case; block confirmed malicious hashes or destinations tied to the same activity.
100- After containment, retain the confirmed workflow or malicious artifact set for future triage and avoid suppressing the broader AutoIt, AutoHotkey, or KIX32 interpreter families.
101"""
102
103setup = """## Setup
104
105This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
106
107Setup instructions: https://ela.st/install-elastic-defend
108
109### Additional data sources
110
111This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
112
113- [CrowdStrike](https://ela.st/crowdstrike-integration)
114- [Microsoft Defender XDR](https://ela.st/m365-defender)
115- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
116"""
117
118[rule.investigation_fields]
119field_names = [
120    "@timestamp",
121    "host.id",
122    "user.id",
123    "process.entity_id",
124    "process.pid",
125    "process.name",
126    "process.executable",
127    "process.command_line",
128    "process.pe.original_file_name",
129    "process.hash.sha256",
130    "process.code_signature.trusted",
131    "process.code_signature.subject_name",
132    "process.parent.entity_id",
133    "process.parent.executable",
134    "process.parent.command_line",
135]
136
137[transform]
138
139[[transform.investigate]]
140label = "File activity by the renamed interpreter"
141description = ""
142providers = [
143  [
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
145    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
146    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
147  ]
148]
149relativeFrom = "now-1h"
150relativeTo = "now"
151
152[[transform.investigate]]
153label = "Child process activity from the renamed interpreter"
154description = ""
155providers = [
156  [
157    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
158    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
159    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
160    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
161  ]
162]
163relativeFrom = "now-1h"
164relativeTo = "now"
165
166[[transform.investigate]]
167label = "Registry or network activity by the renamed interpreter"
168description = ""
169providers = [
170  [
171    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
172    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
173    { excluded = false, field = "event.category", queryType = "phrase", value = "registry", valueType = "string" }
174  ],
175  [
176    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
177    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
178    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
179  ]
180]
181relativeFrom = "now-1h"
182relativeTo = "now"
183
184[[transform.investigate]]
185label = "Alerts associated with the user"
186description = ""
187providers = [
188  [
189    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
190    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
191  ]
192]
193relativeFrom = "now-48h/h"
194relativeTo = "now"
195
196[[transform.investigate]]
197label = "Alerts associated with the host"
198description = ""
199providers = [
200  [
201    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
202    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
203  ]
204]
205relativeFrom = "now-48h/h"
206relativeTo = "now"
207
208[[rule.threat]]
209framework = "MITRE ATT&CK"
210
211[[rule.threat.technique]]
212id = "T1036"
213name = "Masquerading"
214reference = "https://attack.mitre.org/techniques/T1036/"
215
216[[rule.threat.technique.subtechnique]]
217id = "T1036.003"
218name = "Rename Legitimate Utilities"
219reference = "https://attack.mitre.org/techniques/T1036/003/"
220
221[rule.threat.tactic]
222id = "TA0005"
223name = "Defense Evasion"
224reference = "https://attack.mitre.org/tactics/TA0005/"
225
226[[rule.threat]]
227framework = "MITRE ATT&CK"
228
229[[rule.threat.technique]]
230id = "T1059"
231name = "Command and Scripting Interpreter"
232reference = "https://attack.mitre.org/techniques/T1059/"
233
234[[rule.threat.technique.subtechnique]]
235id = "T1059.010"
236name = "AutoHotKey & AutoIT"
237reference = "https://attack.mitre.org/techniques/T1059/010/"
238
239[rule.threat.tactic]
240id = "TA0002"
241name = "Execution"
242reference = "https://attack.mitre.org/tactics/TA0002/"