Commonly abused AutoIT script connects to an external domain

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.

Investigative actions

  • AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.
  • Identify the process contacting the remote domain and determine whether the traffic is malicious.