This detection rule identifies the execution of AutoIt scripting files (.au3) and associated executables (AutoIT.exe, AutoIT2.exe, AutoIT3.exe) on Windows endpoints. AutoIt is commonly used for automating tasks in the Windows GUI; however, its capabilities can be exploited by malicious actors to execute harmful scripts or automate harmful actions on affected systems. The Splunk logic utilizes PowerShell logs and specific event codes (EventCode=4104) related to script execution to capture such activities. A regex filter is also applied to match any instance where an AutoIt executable is running in conjunction with a command that loads .au3 files, providing a precise means of detection. This rule is significant for identifying potential misuse of a legitimate feature which may indicate broader security compromises. The effectiveness of this rule is enhanced by correlating logs from different data sources to create a comprehensive view of the activity across endpoints.