Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
Attacker's Goals
The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.
Investigative actions
Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).