Detectionhightest

Renamed AutoIt Execution

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Jun 04Updated Sat Nov 23f4264e47-f522-4c38-a420-04525d5b880fwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_1:
        CommandLine|contains:
            - ' /AutoIt3ExecuteScript'
            - ' /ErrorStdOut'
    selection_2:
        Hashes|contains:
            - 'IMPHASH=FDC554B3A8683918D731685855683DDF'  # AutoIt v2 - doesn't cover all binaries
            - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290'  # AutoIt v2 - doesn't cover all binaries
            - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000'  # AutoIt v3 - doesn't cover all binaries
    selection_3:
        OriginalFileName:
            - 'AutoIt3.exe'
            - 'AutoIt2.exe'
            - 'AutoIt.exe'
    filter_main_legit_name:
        Image|endswith:
            - '\AutoIt.exe'
            - '\AutoIt2.exe'
            - '\AutoIt3_x64.exe'
            - '\AutoIt3.exe'
    condition: 1 of selection_* and not 1 of filter_main_*