In a world of “fileless malware”, elaborately chained attacks, living-off-the-land, and countless other use cases of fanciness it’s easy to forget some of the older and more basic things that will likely blindside every security appliance you employ. If your organization does application whitelisting properly or proactively addresses software potentially used for malicious actions, then you may have already mitigated this issue and can stop reading…
However, for those of us in the real world, please continue to hear me out. AutoHotKey scripts can achieve nearly every action a threat actor would ever want to achieve on a machine and then some. The software is often used by technical administrators and developers with heightened privileges to accomplish repetitive tasks, financial analysts with access to sensitive data, and operational folks to accomplish day-to-day business tasks. The scripts and tools that can be generated can save countless hours across an organization, but should we allow it?
The issue with AutoHotKey (AutoHotKey) is that it is so prevalently used by so many people to accomplish important tasks that it is regarded as “safe” and whitelisted outright by many security products available. In tandem with this is the fact that most security solutions simply don’t have the baked in logic set to understand or even ingest the file for analysis. Running an obviously malicious, non-obfuscated, and seemingly straightforward piece of AHK malware (code below) through VirusTotal shows a hit rate of 0/59. News flash, Windows Defender didn’t really help here either.
What about CrowdStrike? As one of the top EDR/NGAV/sandboxes available in the industry you’d imagine it would easily handle this right? Well… not so fast, as CrowdStrike Falcon sandbox is not able to analyze these files properly according to their documentation.
CrowdStrike Falcon Sandbox File Types
Recently there have been attempts to use AHK for pulling files down from various repositories such as Github, Bitbucket, and many others. Some examples:
AutoHotKey & BitBucket Used as Malware Slinger
Router DNS Hijacking - AutoHotKey and BitBucket
Let’s move on to the rudimentary example that I’ve created…
Disclaimer – I am not responsible for how you may use this code or any interpretation or modification of the below code in any way. This is for demonstration and education purposes only.