Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Sigma rule (View on GitHub)
1title: Renamed AutoHotkey.EXE Execution
2id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c
3status: test
4description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
5references:
6 - https://www.autohotkey.com/download/
7 - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
8author: Nasreddine Bencherchali
9date: 2023-02-07
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Product|contains: 'AutoHotkey'
18 - Description|contains: 'AutoHotkey'
19 - OriginalFileName:
20 - 'AutoHotkey.exe'
21 - 'AutoHotkey.rc'
22 filter:
23 - Image|endswith:
24 - '\AutoHotkey.exe'
25 - '\AutoHotkey32.exe'
26 - '\AutoHotkey32_UIA.exe'
27 - '\AutoHotkey64.exe'
28 - '\AutoHotkey64_UIA.exe'
29 - '\AutoHotkeyA32.exe'
30 - '\AutoHotkeyA32_UIA.exe'
31 - '\AutoHotkeyU32.exe'
32 - '\AutoHotkeyU32_UIA.exe'
33 - '\AutoHotkeyU64.exe'
34 - '\AutoHotkeyU64_UIA.exe'
35 - Image|contains: '\AutoHotkey'
36 condition: selection and not filter
37falsepositives:
38 - Unknown
39level: medium
References
-
Downloads Latest Stable Version: 2.0.18 Download EXE Download ZIP Source code Mirror: Releases on GitHub Other Releases Note: Google Safe Browsing sometimes falsely flags these directories as conta...
Read More -
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command a…
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity