Find AutoHotkey installations in your organization
AutoHotkey, an open-source scripting language for Windows, used for form fillers, auto-clicking, macros, etc. has been the target of multiple malware attacks. On its own, AutoHotkey isn’t dangerous or malicious, it relies completely on scripts to perform actions. However, recently attackers have been using AutoHotkey scripts to deliver remote access trojans (RAT) such as Revenge RAT, LimeRAT,AsyncRAT, Houdini and Vjw0rm hidden in a usable Autohotkey script.
Detect AutoHotKey Malware Scripts
The infection begins with an AutoHotKey executable that proceeds to execute different VBScripts which will load the RAT on the affected system. Another variant of this malware blocks connections to antivirus solutions by adjusting the host file on the affected system.
Morphisec states that all the different attack chains are attributed to the same threat actor: the AHK script is used to disable Microsoft Windows Defender.
They used rare techniques such as:
UAC Bypass
Emulator Bypass
Tampering with Microsoft defender and antivirus products
Delivery through text share services
Manifest flow hijack through VbsEdit manipulation
To prevent these malware campaigns from affecting your organization, it is useful to start with finding exactly which machines in your organization have the capability to run these scripts. The report below provides an overview of all AutoHotkey installations in your network along with the version.
AutoHotkey Software Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetUnique,
tblAssets.Domain,
tblAssets.Username,
tblADusers.Displayname As [User],
tblSoftwareUni.softwareName As software,
tblSoftware.softwareVersion As version,
tblSoftwareUni.SoftwarePublisher As publisher,
tsysOS.Image As icon,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblassets.Lasttried,
tblassets.Lastseen
From tblSoftware
Inner Join tblAssets On tblSoftware.AssetID = tblAssets.AssetID
Inner Join tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Join tblADusers On tblADusers.Username = tblAssets.Username And
tblADusers.Userdomain = tblAssets.Userdomain
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblSoftwareUni.softwareName Like '%autohotkey%' And
tblAssetCustom.State = 1
Order By tblAssets.AssetName,
software,
version
