/OffensiveAutoIt

Offensive tooling notes and experiments in AutoIt v3 (https://www.autoitscript.com/site/autoit/)

Primary LanguageAutoItBSD 2-Clause "Simplified" LicenseBSD-2-Clause

OffensiveAutoIt

Offensive tooling notes and experiments in AutoIt v3.

Table of Contents

Why AutoIt?

  • Plenty of examples online showing AutoIt being utilized for malware development but no general resource I could find that security folk new to the language can use to explore its capabilities and nuances.
  • Ability to directly call external DLL and Windows API functions.
  • Scripts can be executed using AutoIt3.exe (digitally signed binary) or compiled into standalone executables.
  • Simplifies UI automation and interaction; GUI creation, simulating keystrokes and mouse movements, manipulating windows and processes.
  • Very active community and countless user defined functions (UDFs).
  • I love byt3bl33d3r's OffensiveNim repo and wanted to have a go at developing/researching tradecraft in a language that I wasn't familiar with.

OffensiveAutoIt scripts

The examples in this repo are purely PoCs; I've tested them, but not thoroughly. The scripts are intended to be compiled and used as standalone console application executables but it's not the only way they can be utilized.

Execution (TA0002)

Script Description ATT&CK Reference
ExecutePowershell.au3 Hosts the CLR, bypasses AMSI & executes PowerShell through an unmanaged runspace. More info available in this post. T1059.001
ExecuteAssembly.au3 Hosts the CLR, patches AMSI & ETW and executes a .NET assembly from memory. NOTE: This script doesn't support assembly arguments at the moment (WIP). More info available in this post. T1027.002
T1218
MSScriptControl.au3 Executes JScript and VBScript using the MSScriptControl COM object. Direct port of scriptcontrol_bin.nim by byt3bl33d3r. T1059.007
T1059.005
ExcelCOM.au3 Executes shellcode using the Excel COM object and VBA macros. Direct port of excel_com_bin.nim by byt3bl33d3r. T1059.005

Persistence (TA0003)

Script Description ATT&CK Reference
NetUserAdd.au3 Uses the NetUserAdd API to create a new computer/machine account. The user will be hidden in the control panel and from the net user/wmic commands. Adapted from DoUCMe by Ben0xA. T1136.001

Defense Evasion (TA0005)

Script Description ATT&CK Reference
PatchAMSI.au3 Bypasses AMSI by patching amsi.dll. T1562.001
PatchETW.au3 Patches ETW out of the current process. T1562.006

Credential Access (TA0006)

Script Description ATT&CK Reference
MiniDump.au3 Dumps process memory to a file on disk using the MiniDumpWriteDump API. T1003.001
KeePassCredExport-1.au3 Exports credentials from an unlocked KeePass2 database to disk using UI automation & key presses. Reference blog post here. T1555.005
KeePassCredExport-2.au3 Exports credentials from an unlocked KeePass2 database to disk using UI automation & key presses. Contains user idle time check. Reference blog post here. T1555.005
BitwardenCredExport.au3 Exports Bitwarden vault credentials to disk using UI automation & key presses. Requires Bitwarden's master password. Reference blog post here. T1555.005
1PasswordCredExport.au3 Exports 1Password vault credentials to disk using UI automation & key presses. Contains user input and visual block during extraction. Requires 1Password's master password and admin privileges on target PC. Reference blog post here. T1555.005

Discovery (TA0007)

Script Description ATT&CK Reference
WMIEnum.au3 Enumerates basic info about a Windows host using WMI. T1047

Lateral Movement (TA0008)

Script Description ATT&CK Reference
WMICommand.au3 Executes a command on a remote computer using WMI. T1047

Collection (TA0009)

Script Description ATT&CK Reference
Keylogger.au3 Logs a user's keystrokes using AutoIt's IsPressed function. T1056.001
ScreenCapture.au3 Takes a screenshot and saves it in the user's temp directory. T1113
ClipboardMonitor.au3 Periodically monitors the clipboard for text and prints the content to stdout. T1115

Process Injection (T1055)

Script Description ATT&CK Reference
DLLInjection.au3 Injects a DLL file on disk into a remote process. T1055.001
CreateRemoteThread.au3 Injects shellcode into a remote process using the CreateRemoteThread API. T1055.002
QueueUserAPC.au3 Injects shellcode into a target executable using the QueueUserAPC API. T1055.004

Using AutoIt scripts

First things first - install AutoIt from the official site.

AutoIt scripts can either be compiled into standalone executables (.exe) or AutoIt compiled scripts. Both plaintext script files (.au3) and compiled scripts (.a3x) must be executed using the AutoIt3.exe binary.

1. Compiling scripts into standalone executables

i) Aut2Exe

Aut2Exe is included in the default AutoIt installation and enables the compilation of scripts into standalone executables. It can be found in C:\Program Files (x86)\AutoIt3\Aut2Exe.

NOTE: Aut2Exe doesn't perform any syntax checking, so AutoIt scripts compiled with it need to be completely free of any errors.

There are 2 common ways to use Aut2Exe:

1. Command Line

# General usage
Aut2Exe.exe /in in-script.au3 /out out-executable.exe [/other-options]

# Example: Compile script into a 32 bit executable console application
Aut2exe.exe /in "C:\Users\v1v1\OffensiveAutoIt\DLLInjection.au3" /out ".\DLLInjection.exe" /x86 /console

# Example: Compile script into a 64 bit executable console application with no UPX packing
Aut2exe.exe /in "C:\Users\v1v1\OffensiveAutoIt\DLLInjection.au3" /out ".\DLLInjection64.exe" /x64 /console /nopack

NOTE: Aut2Exe will use UPX compression by default. Some security products really don't like executables packed with UPX, so you should probably avoid it.

2. GUI

The Aut2Exe graphical interface can be launched from the Start Menu or by running Aut2Exe from the command line without any arguments.

Aut2Exe GUI

ii) SciTE4AutoIt

The SciTE4AutoIt text editor comes installed with AutoIt. SciTE4AutoIt, unlike Aut2Exe, can perform syntax/error checking of scripts before compilation.
To compile a script using SciTE4AutoIt, just open it in the editor and hit Ctrl+F7 to bring up the compilation menu or just F7 to build immediately.

Aut2Exe GUI

2. Using scripts without compilation into executables

i) AutoIt3.exe

AutoIt3.exe is the main program used to run AutoIt scripts without having to compile them into executables. Both AutoIt3.exe and AutoIt3_x64.exe (64 bit version) can be found in C:\Program Files (x86)\AutoIt3.

There are 2 primary benefits to using AutoIt3.exe:

  1. It's the only program required to run an AutoIt script - even on systems without AutoIt installed. All you need is AutoIt3.exe (or AutoIt3_x64.exe) and the script(s) you want to execute and you can run them on any Windows system you want to.
  2. It's digitally signed; which is a bit of a bonus for opsec since you're going to have to drop it on disk to use it on target systems.

AutoIt3.exe certificate

AutoIt3.exe usage

# General usage
AutoIt3.exe script.au3 [optional parameters]

# Example: Execute a regular script without command line parameters
.\AutoIt3.exe .\KeePassCredExport-1.au3

# Example: Execute an .a3x compiled script with command line parameters 
.\AutoIt3.exe .\CreateRemoteThread.a3x 1234

AutoIt scripts without any includes in them can simply be executed by passing the plaintext script as an argument to AutoIt3.exe.

Run script with no includes

Unfortunately, you can't use AutoIt3.exe to execute an AutoIt script with includes in it since the included files won't exist on systems without AutoIt installed. If you try to do it, you'll get an error similar to this:

Script include error

NOTE: I was wrong about this. You can actually use the Au3Stripper utility included in SciTE4AutoIt to combine both your script and any referenced include files into a single source file. You can access Au3Stripper by bringing up SciTE4AutoIt's compile menu (Ctrl+F7). The combined source file (scriptName_stripped.au3) will be placed in the same directory as your original script. Hat tip to rcmaehl for the correction.

The problem is includes are pretty important since they add a lot of useful functionality to AutoIt scripts e.g. Windows API functions. But there's a way around this.
Compile the script with the .a3x extension; this format builds a single file that contains the script itself and all referred #include files.

# Compiling a script into .a3x format using Aut2Exe
Aut2Exe.exe /in in-script.au3 /out out-script.a3x

a3x format compilation

Now we can use the .a3x compiled script with AutoIt3.exe just like we would with a "normal" AutoIt script.
Example: Using AutoIt3_x64.exe and the .a3x version of CreateRemoteThread.au3 to inject MessageBox shellcode into a 64 bit process (notepad.exe).

a3x example usage

Stuff to note about .a3x files:

  1. An .a3x file is simply an AutoIt binary compiled with all its referenced #include files and without the AutoIt interpreter built into it.
  2. They're much smaller than scripts compiled into standalone executables.
❯ ls -lh MiniDump.*
-rw------- 1 vivi vivi 244K May  7 01:55 MiniDump.a3x
-rw------- 1 vivi vivi 1.1M May  7 01:55 MiniDump.exe
  1. I've only done very minimal testing, but it seems like compiling scripts into .a3x format instead of .exe helps reduce detection by some AV software, so it's probably the best format to use even with scripts without includes in them.
  2. This is a bit of a bummer, but when using AutoIt3.exe to execute an .a3x or .au3 file, you don't get any console output. The script will work just fine with any number of arguments but won't print anything to stdout. If you really need the output from your script e.g. when using a keylogger - consider piping the script's execution to more or Out-Host or just modifying it to redirect output to a file instead of writing to console.

Script output comparison

NOTE: It's possible to modify the AutoIt3.exe executable to change the console output behavior, but that would break the binary's digital signature and we really don't want to do that.

ii) AutoItX

AutoIt installations come packaged with AutoItX; a DLL version of AutoIt v3 that enables you to use AutoIt-like features from other languages (Powershell, C#, C++, VB etc.).

The AutoItX files can be found in C:\Program Files (x86)\AutoIt3\AutoItX. The 4 primary DLLs are:

  • AutoItX3.Assembly.dll - The .NET assembly for using AutoItX.
  • AutoItX3.PowerShell.dll - The PowerShell module code.
  • AutoItX3.dll - The main AutoItX DLL (x86).
  • AutoItX3_x64.dll - The main AutoItX DLL (x64).

C# devs can also incorporate AutoIt's features in their .NET projects by utilizing the AutoIt Nuget package. Adding it to a project will automatically include all the DLL files required for use with C# executables.

I personally don't see the value in using AutoIt as a replacement for C# in any scenario unless it involves UI automation, which is still possible using C# but requires a little more effort to implement.

The sample C# code below demonstrates how simple it is to use AutoIt in a .NET project to open a program (calc.exe) and send keystrokes to it.

using AutoIt;
using System;

namespace AutoItX_demo
{
    class Program
    {
        static void Main(string[] args)
        {
            // Open calc
            AutoItX.Run("calc.exe", ".", 1);
            AutoItX.WinWaitActive("Calculator");
            // Wait for window to appear and do some math
            AutoItX.Sleep(2000);
            AutoItX.Send("420*69");
            AutoItX.Send("{ENTER}");
            // Close the calc window
            AutoItX.Sleep(2000);
            IntPtr winHandle = AutoItX.WinGetHandle("Calculator");
            AutoItX.WinKill(winHandle);
        }
    }
}

AutoItX demo

Invoke-AutoIt

Invoke-AutoIt is a Powershell script written by byt3bl33d3r that loads the AutoIt DLLs and PowerShell assemblies into memory and executes user specified keystrokes in target windows.

Setting up a dev environment

SciTE4AutoIt

Getting started with AutoIt development is pretty straightforward. The default AutoIt installation comes with a lite version of the SciTE4AutoIt text editor. I'd recommend downloading and installing the full version of SciTE4AutoIt to get access to the editor's entire suite of features.

SciTE4AutoIt editor

VS Code

VS Code has an AutoIt extension which is painless to install and configure. Once installed from the marketplace, you can open the extension's settings by opening VS Code's command palette (Ctrl+Shift+P) and searching for "user settings" and selecting AutoIt Configuration under the Extensions menu. The extension's configuration should already be set up for a default installation of AutoIt and SciTE4AutoIt on a 64 bit Windows system but can also be modified for custom setups.

VS Code AutoIt extension

Now you can edit, debug and build your AutoIt scripts right from VS Code.

VS Code run script

Debugging

A few options for debugging scripts are outlined in this post on the official wiki.

Decompiling AutoIt executables

Standalone AutoIt executables can usually be easily identified by using analysis tools like PeStudio.

PeStudio Analysis

Older versions of AutoIt used to ship with an official decompiler, but that's no longer the case.
3rd party decompilers exist, but use them at your own risk. Some of these programs will execute the script's code during the decompilation process, potentially executing any malicious code in them on your system. So always use a sandbox environment when attempting to decompile AutoIt executables.

Exe2Aut warning

Exe2Aut seems to be the most popular and most referenced decompiler I could find. Using it is pretty simple, just open Exe2Aut and drag an AutoIt compiled executable into the decompiler's window.

Exe2Aut decompilation

Exe2Aut doesn't have support for 64 bit AutoIt executable decompilation but some of the tools mentioned in the section below do.

Decompiling .a3x files

.a3x files can be identified using tools like ExeInfo and Detect It Easy(DiE) or by manually searching for occurrences of "AU3!" string in the file's contents.

Identify .a3x file

myAut2Exe doesn't seem to be as widely referenced as Exe2Aut but it's definitely the more advanced decompiler. 2 significant advantages it has over Exe2Aut is the ability to decompile .a3x files and 64 bit AutoIt executables.

To decompile an .a3x file using myAut2Exe, just drag the file into the "File or Folder" textbox, click on the "Scan File" menu and select the "Automated" option. Give it a little time and you should end up with the decompiled source code. The decompiled script will be written to the same directory as the target .a3x/.exe file.

MyAut2Exe decompilation

Another great alternative and my personal preference for AutoIt decompilation is AutoIt Extractor by x0r19x91.

AutoIt Extractor decompilation

NOTE: It's possible to defeat/mislead the decompilation process of both Exe2Aut and myAut2Exe. There's a post demonstrating techniques to do it for both decompilers here.

Other decompilation tools

Some more tools with decompilation capabilities worth mentioning are:

AutoIt-Ripper

AutoIt-Ripper usage

UnAutoIt

UnAutoIt usage

ClamAV

ClamAV decompilation

References

Obfuscating scripts

Because AutoIt executables are trivial to decompile in most cases, script obfuscation is something worth looking into if you're considering developing any offensive tools.

A number of free and paid obfuscators are publicly available. The most featured one I could find is PELock's AutoIt Obfuscator which isn't free but does offer a limited trial version and online obfuscator. As expected, obfuscating scripts makes analysis of extracted source code a little more challenging.

PELock obfuscation

Funnily enough, obfuscating a script might actually raise its AV engine detection count.

VT obfuscation comparison

Other obfuscators

NOTE: I haven't tested any of these. Use them at your own discretion.

Deobfuscating AutoIt

AutoIt in the wild

AutoIt is far from unfamiliar to malware authors; from skids to advanced threat actors. Check out the links below for examples of AutoIt malware discovered in the wild.

Detection

Resources to help with detection.

YARA rules

Miscellaneous

Blog posts

Just some blog posts I've found (or written) about AutoIt tradecraft.

AutoIt project references

Projects built in/for Autoit - not necessarily security related.