From bb90406df471f071a9c823f4eec3e29ad9a9ed95 Mon Sep 17 00:00:00 2001
From: zoro <71764768+zorovj@users.noreply.github.com>
Date: Sun, 23 Feb 2025 16:44:28 +0100
Subject: [PATCH] Create T1059.010.yaml (#3044)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1059.010/T1059.010.yaml | 38 ++++++++++++++++++++++++++++++++
 atomics/T1059.010/src/calc.ahk   |  2 ++
 2 files changed, 40 insertions(+)
 create mode 100644 atomics/T1059.010/T1059.010.yaml
 create mode 100644 atomics/T1059.010/src/calc.ahk

diff --git a/atomics/T1059.010/T1059.010.yaml b/atomics/T1059.010/T1059.010.yaml
new file mode 100644
index 00000000..5e2dd109
--- /dev/null
+++ b/atomics/T1059.010/T1059.010.yaml
@@ -0,0 +1,38 @@
+attack_technique: T1059.010
+display_name: 'Command and Scripting Interpreter: AutoHotKey & AutoIT'
+atomic_tests:
+- name: AutoHotKey script execution
+  auto_generated_guid:
+  description: |
+    An adversary may attempt to execute malicious script using AutoHotKey software instead of regular terminal like powershell or cmd. A messagebox will be displayed and calculator will popup when the script is executed successfully
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AutoHotKey executable file must exist on disk at the specified location (#{autohotkey_path})
+    prereq_command: |
+      if(Test-Path "#{autohotkey_path}") {
+          exit 0
+      } else {
+          exit 1
+      }
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $AutoHotKeyURL = "https://www.autohotkey.com/download/ahk.zip"
+      $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads"
+      Invoke-WebRequest -Uri $AutoHotKeyURL -OutFile $InstallerPath\ahk.zip
+      Expand-Archive -Path $InstallerPath -Force;
+  input_arguments:
+    script_path:
+      description: AutoHotKey Script Path
+      type: path
+      default: PathToAtomicsFolder\T1059.010\src\calc.ahk
+    autohotkey_path:
+      description: AutoHotKey Executable File Path
+      type: path
+      default: $PathToAtomicsFolder\..\ExternalPayloads\ahk\AutoHotKeyU64.exe
+  executor:
+    command: |
+      Start-Process -FilePath "#{autohotkey_path}" -ArgumentList "#{script_path}"
+    name: powershell
diff --git a/atomics/T1059.010/src/calc.ahk b/atomics/T1059.010/src/calc.ahk
new file mode 100644
index 00000000..5571541e
--- /dev/null
+++ b/atomics/T1059.010/src/calc.ahk
@@ -0,0 +1,2 @@
+MsgBox, This is a test AutoHotKey script.
+Run, calc.exe