This detection rule aims to identify potentially malicious executions of AutoHotkey (.ahk) scripts. Adversaries may use such automation scripts to perform a range of automated tasks on Windows systems, which can include harmful actions taken without user consent. The rule specifically targets the execution of .ahk files, including cases where the AutoHotkey binaries have been renamed to evade detection. It does so by leveraging event codes associated with process creation, filtering for the presence of the .ahk file extension alongside executable commands that could indicate misuse. Implementing this rule may generate false positives, particularly with legitimate .ahk file executions. Therefore, it is advisable to maintain a whitelist of expected executables and specific command-line arguments to reduce the incidence of these false detections.