Update defense_evasion_masquerading_renamed_autoit.toml

Samirbous · Samirbous · commit 10913ce2d821 · 2025-08-21T23:26:36.000+01:00
diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml
@@ -118,7 +118,10 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe"
+  (
+   (process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe") or
+   (process.pe.original_file_name == "AutoHotkey.exe" and not process.name : ("AutoHotkey*.exe", "InternalAHK.exe"))
+   )
 '''
 
 
