Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0003 ✕ technique: T1091 ✕
Show ATT&CK heatmapAutorun.inf created in root C drive Medium
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)Required data: XDR AgentAttacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).