T1059.010: AutoHotKey & AutoIT
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.[1][2]
Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.[3]
These scripts may also be compiled into self-contained executable payloads (`.exe`).[1][2]
Analyst context for executives and security teams
AutoHotKey and AutoIT are legitimate Windows automation scripting tools that can also be abused to run payloads, automate malicious actions, or package scripts as standalone executables. For leaders, the practical issue is not the scripting languages themselves, but whether the organization can distinguish approved automation from unauthorized execution on Windows endpoints, especially when scripts arrive through phishing or appear as compiled .exe files.
Executive priority
Prioritize this as a Windows execution-control and SOC visibility question. If AutoHotKey or AutoIT is used for business automation, security teams need an approved-use baseline and audit evidence showing how unauthorized scripts or compiled payloads are prevented or investigated. If these tools are not required, execution prevention can reduce avoidable exposure. This technique is also relevant to incident triage because ATT&CK links it to malware families and a group, making unexplained .ahk, .au3, or AutoIT/AHK-compiled executables worth prompt review.
Technical view
Validate coverage for T1059.010 as a sub-technique of Command and Scripting Interpreter on Windows. Focus on execution of .ahk and .au3 files, invocation of AutoHotKey or AutoIT interpreters, and suspicious compiled executables that may contain automation-script payloads. Because the official ATT&CK detection field is not provided, use the related DET0332 detection strategy as a pointer, but confirm locally what telemetry and analytics exist. IR teams should treat findings in context: legitimate desktop automation may exist, so detections need allowlists, user/process lineage, file origin, and relationship to phishing or downloaded payloads where available.
Likely telemetry
- Windows process creation events showing AutoHotKey or AutoIT interpreter execution
- Command-line arguments referencing .ahk or .au3 scripts
- File creation or download events for .ahk, .au3, and suspicious .exe payloads
- Parent-child process lineage for scripts launching programs or payloads
- Endpoint security alerts or file reputation results for compiled script executables
Detection direction
- Confirm whether DET0332 or equivalent local analytics are enabled for AutoHotKey and AutoIT abuse.
- Baseline legitimate AutoHotKey/AutoIT business use before broad alerting to reduce false positives.
- Alert on script execution from user-writable, email, browser download, or temporary locations when telemetry supports it.
- Review compiled .exe payloads that exhibit AutoHotKey/AutoIT characteristics, since scripts may not remain visible as .ahk or .au3 files.
- Correlate script execution with suspicious parent processes, unexpected child processes, or recently delivered files.
Mitigation priorities
- Start with inventory: determine where AutoHotKey or AutoIT is legitimately required on Windows systems.
- Where not required, use execution prevention controls to block unauthorized script interpreters and compiled payloads.
- Where required, restrict approved scripts, paths, publishers, hashes, or managed deployment channels using application control or script blocking approaches consistent with M1038.
- Add SOC playbooks for triaging .ahk, .au3, and suspicious compiled executables, including business-owner validation for automation use.
- Maintain exception review and audit evidence so application-control decisions remain defensible for compliance and incident response.
Analyst notes and limits
ATT&CK relationships show this technique is used by APT39 and several software entries including Melcoz, OutSteel, DarkGate, XLoader, and Lumma Stealer. Those relationships support prioritizing detection and triage, but they should not be interpreted as evidence of current activity in any specific environment. The most important local decision is whether AutoHotKey/AutoIT is normal, restricted, or unexpected on Windows endpoints.
The official ATT&CK object provides no detection text, so detection recommendations are derived from the technique description, Windows platform scope, execution tactic, file types noted by ATT&CK, the DET0332 relationship, and the M1038 mitigation relationship. Local software inventory, endpoint telemetry, email/web logs, and approved automation records are required to determine actual risk and coverage.
AutoHotKey & AutoIT
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.[1][2]
Adversaries may use AHK (`.ahk`) and AutoIT (`.au3`) scripts to execute malicious code on a victim's system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.[3]
These scripts may also be compiled into self-contained executable payloads (`.exe`).[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter | This object subtechnique of Command and Scripting Interpreter. |
Groups, software, and campaigns
G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
S1213: Lumma Stealer
Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.[1][2][3][4][5]
S0530: Melcoz
S1207: XLoader
S1017: OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]
S1111: DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cbd5143a1b12… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AutoIT
AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.
Open source URL -
[2]
AutoHotKey
AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024.
Open source URL -
[3]
Splunk DarkGate
Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.
Open source URL -
[4]
mitre-attack T1059.010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.