AN0942: Analytic 0942
Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events.
Analyst context for executives and security teams
This analytic matters because AutoHotKey and AutoIT can be legitimate Windows automation tools, but the same interpreters or compiled scripts can also be used for unauthorized automation, command execution, or payload delivery. For leaders, the decision value is whether the organization can distinguish approved automation from suspicious script-driven activity before it becomes an incident-response problem.
Executive priority
Prioritize this where Windows endpoints support business-critical operations or where local scripting and user-created automation are common. The key business question is not simply whether AutoHotKey or AutoIT exists, but whether security teams have enough endpoint visibility, process context, and governance over approved automation to explain suspicious use during an investigation or audit.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into execution of AutoHotKey or AutoIT interpreters and compiled scripts on Windows. The supplied analytic emphasizes correlation with anomalous process lineage, command-line arguments, and script creation events. Teams should baseline known-good automation, review parent/child process patterns, and ensure alerts include enough process and file context to determine whether activity is authorized.
Likely telemetry
- Windows process execution events
- Process parent/child lineage
- Command-line arguments
- Script or file creation events
- Interpreter or compiled script execution evidence
Detection direction
- Confirm whether AutoHotKey and AutoIT interpreter or compiled script executions are logged consistently across Windows endpoints.
- Correlate execution with anomalous process lineage rather than alerting only on tool names, because these tools may be used legitimately.
- Review command-line arguments and script creation events for context that separates approved automation from suspicious command execution or payload delivery behavior.
- Build or maintain an allowlist/baseline of sanctioned automation locations, users, and business processes to reduce false positives.
- Treat lack of official detection logic and lack of relationship context as a reason to validate locally rather than assume ATT&CK provides complete coverage guidance.
Mitigation priorities
- Inventory legitimate AutoHotKey and AutoIT use on Windows systems and assign business owners for approved automation.
- Restrict or govern unauthorized scripting and automation where operationally feasible.
- Ensure endpoint logging captures process creation, command lines, parent/child relationships, and relevant file creation events.
- Document approved automation patterns so SOC and IR teams can rapidly distinguish expected activity from suspicious use.
- Use findings from detections to refine endpoint hardening, user permissions, and incident-response playbooks.
Analyst notes and limits
This object is a detection analytic for Windows focused on identifying AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery. No ATT&CK tactics, related techniques, groups, software, mitigations, or detection relationships were supplied, so the take is intentionally centered on telemetry validation and operational decision-making rather than attribution or threat-specific behavior.
Official detection logic was not provided, and no relationship context was supplied. The analytic does not by itself establish maliciousness, active exploitation, or coverage in any specific environment. Local baselines, endpoint telemetry quality, and knowledge of approved automation are required to make this actionable.
Analytic 0942
Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 24aeeef0b7a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0942Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.