- Tactics
- Execution
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1059.010
Description
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)
Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim’s system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.(Citation: Splunk DarkGate)
These scripts may also be compiled into self-contained executable payloads (.exe).(Citation: AutoIT)(Citation: AutoHotKey)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Execution tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1059 — Command and Scripting Interpreter
- T1072 — Software Deployment Tools
- T1106 — Native API
- T1127 — Trusted Developer Utilities Proxy Execution
- T1129 — Shared Modules
- T1197 — BITS Jobs
- T1203 — Exploitation for Client Execution
- T1204 — User Execution
- T1559 — Inter-Process Communication
- T1569 — System Services