Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0008 ✕ technique: T1091 ✕

Show ATT&CK heatmap
  • Autorun.inf created in root C drive Medium

    An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)
    Required data: XDR Agent
    Attacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.
    Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).