AutoPwnKey is an offensive security framework that leverages AutoHotKey to execute payloads by mimicking human interaction. It is designed to bypass traditional antivirus and EDR systems by avoiding suspicious API calls and executing tasks in a user-simulated, input-driven way.

This technique is increasingly relevant as defensive tooling becomes more effective at detecting classical payload delivery and execution chains.

Overview

AutoPwnKey operates by simulating a trusted user environment. It does not inject code or exploit vulnerabilities directly. Instead, it performs keyboard and mouse inputs that trigger payload execution through legitimate graphical user interface (GUI) interactions. This approach helps bypass behavioural and heuristic-based detection methods.

Common use cases include:

• Post-exploitation payload execution
• AV/EDR evasion in hardened environments
• Running offensive actions without dropping traditional binaries

The tool supports payload packaging, GUI script writing, and runtime obfuscation.

Key Features

• Uses AutoHotKey scripting to simulate user actions
• Bypasses most behavioural antivirus detections
• Modular payload runner framework
• Customizable interaction chains (e.g., open terminal, type command, close window)
• Supports execution in sandbox-aware scenarios

Installation and Usage

AutoPwnKey requires AutoHotKey to be installed on the target or execution environment.

Install

Detection and Limitations

Because AutoPwnKey does not exploit memory or use standard injection techniques, it bypasses many real-time AV scanners. However:

• It relies on GUI access and screen presence
• Script-based methods may trigger user alerts or UAC prompts if improperly scoped
• Defender SmartScreen and AMSI may flag compiled .exe versions depending on runtime behaviour

Mitigation Guidance

Blue teams can mitigate AutoPwnKey-style attacks by:

• Monitoring for unusual AutoHotKey usage
• Blocking unsigned executables from AppData or Temp
• Alerting on scripted GUI interactions from non-trusted binaries

How to Contribute

The team welcomes and encourages contributions, participation, and feedback, provided that all participation is lawful and ethical. Please develop new scripts, contribute ideas, and refine the existing scripts we have created. The goal of this project is to develop a robust testing framework available to red, blue, and purple teams for assessment purposes, with the hope that one day we can achieve this goal, as improvements to detection logic will make this attack vector irrelevant.

1. Fork the project
2. Create your feature branch (git checkout -b feature/AmazingFeature)
3. Commit your changes (git commit -m 'Add some AmazingFeature')
4. Push to the branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

You can read more or download AutoPwnKey here: https://github.com/CroodSolutions/AutoPwnKey