Skip to content
Atomic Red Team
atomics
T1059.010

T1059.010 - Command and Scripting Interpreter: AutoHotKey & AutoIT

Description from ATT&CK (opens in a new tab)

Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)

Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing (opens in a new tab) payloads.(Citation: Splunk DarkGate)

These scripts may also be compiled into self-contained executable payloads (.exe).(Citation: AutoIT)(Citation: AutoHotKey)

Atomic Tests


Atomic Test #1 - AutoHotKey script execution

An adversary may attempt to execute malicious script using AutoHotKey software instead of regular terminal like powershell or cmd. A messagebox will be displayed and calculator will popup when the script is executed successfully

Supported Platforms: Windows

auto_generated_guid: 7b5d350e-f758-43cc-a761-8e3f6b052a03

Inputs:

NameDescriptionTypeDefault Value
script_pathAutoHotKey Script PathpathPathToAtomicsFolder\T1059.010\src\calc.ahk
autohotkey_pathAutoHotKey Executable File Pathpath$PathToAtomicsFolder\..\ExternalPayloads\ahk\AutoHotKeyU64.exe

Attack Commands: Run with powershell!

Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"

Dependencies: Run with powershell!

Description: AutoHotKey executable file must exist on disk at the specified location (#{autohotkey_path})
Check Prereq Commands:
if(Test-Path "#{autohotkey_path}") {
    exit 0
} else {
    exit 1
}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip"
$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads"
Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip
Expand-Archive -Path $InstallerPath -Force;

T1059.007T1069.001