Renamed Automation Script Interpreter

Malware operators often rename legitimate system and scripting tools to blend in with normal system processes and bypass security measures. This rule specifically detects instances where automation script interpreters like AutoIt, AutoHotkey, and KIX32 have been renamed. By comparing the process name against the original file name embedded in the executable, this detection identifies potential attempts to masquerade malicious scripts as legitimate software. This technique is employed to bypass application whitelisting and other security controls that rely on file names or process names for identification and authorization. This detection is relevant for any Windows environment where these scripting tools are used, as it can highlight potentially malicious activity masked by a common evasion technique.

Attack Chain

1. An attacker gains initial access to the system, often through phishing or exploiting a software vulnerability.
2. The attacker uploads or drops a malicious script (e.g., AutoIt, AutoHotkey, or KIX32 script) onto the target machine.
3. The attacker renames the legitimate AutoIt, AutoHotkey, or KIX32 interpreter executable to a non-standard name (e.g., “svchost.exe” or “wininit.exe”) to masquerade as a legitimate process.
4. The attacker executes the renamed interpreter, which in turn executes the malicious script.
5. The script performs malicious actions, such as downloading additional malware, modifying system settings, or establishing persistence.
6. The attacker uses the compromised system for lateral movement within the network or for data exfiltration.
7. The attacker attempts to maintain persistence on the system to ensure continued access.

Impact

Successful renaming of script interpreters allows attackers to execute malicious scripts undetected, potentially leading to data theft, system compromise, or further propagation within the network. The impact can range from minor disruption to significant financial loss and reputational damage, depending on the attacker’s objectives and the sensitivity of the compromised data.

Recommendation

• Deploy the Sigma rule “Renamed AutoIt Interpreter” to your SIEM to detect when AutoIt executables are renamed, focusing on process.pe.original_file_name and process.name.
• Deploy the Sigma rule “Renamed AutoHotkey Interpreter” to your SIEM to detect when AutoHotkey executables are renamed, focusing on process.pe.original_file_name and process.name.
• Enable Sysmon process creation logging to capture the necessary process metadata, as referenced in the rule logsource.
• Investigate any alerts generated by these rules to determine the legitimacy of the renamed executable and its associated activity as described in the note section.