detection.wiki

Detection rules › Sigma

Renamed AutoIt Execution

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: 1 of selection_1

or:
CommandLine|contains: ' /AutoIt3ExecuteScript'
CommandLine|contains: ' /ErrorStdOut'

Stage 2: 1 of selection_2

or:
Hashes|contains: 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290'
Hashes|contains: 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000'
Hashes|contains: 'IMPHASH=FDC554B3A8683918D731685855683DDF'

Stage 3: 1 of selection_3

OriginalFileName: [AutoIt.exe, AutoIt2.exe, AutoIt3.exe]

Stage 4: not 1 of filter_main_legit_name

or:
Image|endswith: '\AutoIt.exe'
Image|endswith: '\AutoIt2.exe'
Image|endswith: '\AutoIt3.exe'
Image|endswith: '\AutoIt3_x64.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /AutoIt3ExecuteScript
  • /ErrorStdOut
Hashesmatch
  • IMPHASH=CD30A61B60B3D60CECDB034C8C83C290
  • IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000
  • IMPHASH=FDC554B3A8683918D731685855683DDF
Imageends_with
  • \AutoIt.exe
  • \AutoIt2.exe
  • \AutoIt3.exe
  • \AutoIt3_x64.exe
OriginalFileNameeq
  • AutoIt.exe
  • AutoIt2.exe
  • AutoIt3.exe