Renamed AutoIt Execution
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Sigma rule (View on GitHub)
1title: Renamed AutoIt Execution
2id: f4264e47-f522-4c38-a420-04525d5b880f
3status: test
4description: |
5 Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
6 AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
7 Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
8references:
9 - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w
10 - https://www.autoitscript.com/site/
11author: Florian Roth (Nextron Systems)
12date: 2023-06-04
13modified: 2023-09-19
14tags:
15 - attack.defense-evasion
16 - attack.t1027
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_1:
22 CommandLine|contains:
23 - ' /AutoIt3ExecuteScript'
24 - ' /ErrorStdOut'
25 selection_2:
26 - Imphash:
27 - 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries
28 - 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries
29 - 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries
30 - Hashes|contains:
31 - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries
32 - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries
33 - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries
34 selection_3:
35 OriginalFileName:
36 - 'AutoIt3.exe'
37 - 'AutoIt2.exe'
38 - 'AutoIt.exe'
39 filter_main_legit_name:
40 Image|endswith:
41 - '\AutoIt.exe'
42 - '\AutoIt2.exe'
43 - '\AutoIt3_x64.exe'
44 - '\AutoIt3.exe'
45 condition: 1 of selection_* and not 1 of filter_main_*
46falsepositives:
47 - Unknown
48level: high
References
-
[et_pb_section bb_built=”1″ fullwidth=”on” specialty=”off” transparent_background=”off” background_color=”#254768″ allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” _builder_version=”3.0.98″][et_pb_fullwidth_slider show_arrows=”on” show_pagination=”on” auto=”on” module_id=”ukpt_slider” custom_padding=”|||” show_inner_shadow=”on” show_content_on_mobile=”on” show_cta_on_mobile=”on” _builder_version=”3.0.98″ custom_button=”off” button_icon_placement=”right” show_image_video_mobile=”off”][et_pb_slide heading=”AutoIt” button_text=”Read More…” button_link=”/site/autoit/” background_color=”#102f4d” image=”https://www.autoitscript.com/site/wp-content/uploads/2018/01/AutoIt_Featured_640x480.png” alignment=”center” background_layout=”dark” allow_player_pause=”off” _builder_version=”3.0.98″ use_background_color_gradient=”off” background_color_gradient_start=”#2b87da” background_color_gradient_end=”#29c4a9″ background_color_gradient_type=”linear” background_color_gradient_direction=”180deg” background_color_gradient_direction_radial=”center” background_color_gradient_start_position=”0%” background_color_gradient_end_position=”100%” background_color_gradient_overlays_image=”off” parallax=”off” parallax_method=”on” background_size=”cover” background_position=”center” background_repeat=”no-repeat” background_blend=”normal” use_bg_overlay=”off” use_text_overlay=”off” text_border_radius=”3″ child_filter_hue_rotate=”0deg” child_filter_saturate=”100%” child_filter_brightness=”100%” child_filter_contrast=”100%” […]
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs