Autorun.inf created in root C drive

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.

Attacker's Goals

The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.

Investigative actions

Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).