Renamed AutoIt Execution
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Sigma rule (View on GitHub)
1title: Renamed AutoIt Execution
2id: f4264e47-f522-4c38-a420-04525d5b880f
3status: test
4description: |
5 Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
6 AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
7 Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
8references:
9 - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w
10 - https://www.autoitscript.com/site/
11author: Florian Roth (Nextron Systems)
12date: 2023-06-04
13modified: 2024-11-23
14tags:
15 - attack.defense-evasion
16 - attack.t1027
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_1:
22 CommandLine|contains:
23 - ' /AutoIt3ExecuteScript'
24 - ' /ErrorStdOut'
25 selection_2:
26 Hashes|contains:
27 - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries
28 - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries
29 - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries
30 selection_3:
31 OriginalFileName:
32 - 'AutoIt3.exe'
33 - 'AutoIt2.exe'
34 - 'AutoIt.exe'
35 filter_main_legit_name:
36 Image|endswith:
37 - '\AutoIt.exe'
38 - '\AutoIt2.exe'
39 - '\AutoIt3_x64.exe'
40 - '\AutoIt3.exe'
41 condition: 1 of selection_* and not 1 of filter_main_*
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine