DarkGate Autoit3.exe Execution Parameters
Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.
Sigma rule (View on GitHub)
1title: DarkGate Autoit3.exe Execution Parameters
2id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
3status: experimental
4description: |
5 Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within
6 the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
7 command-and-control server.
8references:
9 - Internal Research
10 - https://github.security.telekom.com/2023/08/darkgate-loader.html
11 - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
12 - https://github.com/pr0xylife/DarkGate/tree/main
13author: Micah Babinski
14date: 2023/10/12
15tags:
16 - attack.execution
17 - attack.t1059
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_proc:
23 - Image|endswith: '\Autoit3.exe'
24 - OriginalFileName: 'AutoIt3.exe'
25 selection_parent:
26 ParentImage|endswith:
27 - '\cmd.exe'
28 - '\KeyScramblerLogon.exe'
29 - '\msiexec.exe'
30 filter_normal_autoit3:
31 Image: 'C:\Program Files (x86)\AutoIt3\AutoIt3.exe'
32 condition: all of selection_* and not filter_normal_autoit3
33falsepositives:
34 - Unlikely
35level: high```
References
-
-
Throughout Q2 2023, Kroll observed an uptick in cases where DARKGATE malware was delivered through Microsoft Teams messages as a form of phishing. Read more.
Read More -
Related rules
- Autoit3.exe Executable File Creation Matching DarkGate Behavior
- Renamed CURL.EXE Execution
- Suspicious Scan Loop Network
- Lazarus Group Activity
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt