DarkGate Autoit3.exe Execution Parameters

calendar Oct 14, 2023 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Sigma rule (View on GitHub)

 1title: DarkGate Autoit3.exe Execution Parameters
 2id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
 3status: experimental
 4description: |
 5    Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within 
 6    the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate 
 7    command-and-control server.    
 8references:
 9    - Internal Research
10    - https://github.security.telekom.com/2023/08/darkgate-loader.html
11    - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
12    - https://github.com/pr0xylife/DarkGate/tree/main
13author: Micah Babinski
14date: 2023/10/12
15tags:
16    - attack.execution
17    - attack.t1059
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_proc:
23        - Image|endswith: '\Autoit3.exe'
24        - OriginalFileName: 'AutoIt3.exe'
25    selection_parent:
26        ParentImage|endswith:
27            - '\cmd.exe'
28            - '\KeyScramblerLogon.exe'
29            - '\msiexec.exe'
30    filter_normal_autoit3:
31        Image: 'C:\Program Files (x86)\AutoIt3\AutoIt3.exe'
32    condition: all of selection_* and not filter_normal_autoit3
33falsepositives:
34    - Unlikely
35level: high```

References

Related rules

to-top