Skip to content

DET0332 Detection Strategy for AutoHotKey & AutoIT Abuse

Item Value
ID DET0332
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1059.010 (AutoHotKey & AutoIT)

Analytics

Windows

AN0942

Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TimeWindow Tuning this helps identify automation behavior outside expected user work hours.
ParentProcessName Used to isolate cases where AHK or AutoIT scripts are spawned by suspicious or unusual processes.
ScriptExtension Extensions such as .ahk, .au3, or unknown .exe names compiled from these.
ChildProcessCount Threshold for number of spawned children to detect automation or modular malware behavior.