This detection rule identifies the execution of AutoHotkey (AHK) scripts, which are used by adversaries to automate tasks on Windows systems. The AHK automation tool allows for executing various commands, including simulating keyboard and mouse inputs. The rule monitors specific event codes that are indicative of suspicious AHK activity, targeting executions of different AHK binaries such as 'AutoHotkey.exe' and its variants. By capturing events related to these executions along with relevant metadata like time, host, user, and process information, the rule seeks to provide visibility into potentially malicious behavior facilitated through script execution. The detection logic leverages Splunk queries that search for corresponding event codes typically associated with script execution, ensuring that any AHK script, particularly those with the '.ahk' extension, is flagged for further investigation.