DET0748: Detection of Autorun Image
DET0748 is an ATT&CK for ICS detection strategy for identifying abuse of Autorun Image behavior: malicious code executed through AutoRun/AutoPlay-style fun...
Analyst context for executives and security teams
DET0748 is an ATT&CK for ICS detection strategy for identifying abuse of Autorun Image behavior: malicious code executed through AutoRun/AutoPlay-style functionality or scripts on removable media such as USB devices or disk images. For security leaders, the business issue is not just malware execution; it is whether operational environments still contain legacy or permissive configurations where removable media can become an execution path into industrial systems.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk question: do critical ICS assets allow AutoRun/AutoPlay or similar removable-media execution paths, and can the organization prove those controls are disabled or monitored? This also supports audit and incident readiness because removable media controls, endpoint hardening, and evidence collection are often scrutinized after industrial environment malware events.
Technical view
MITRE provides no official detection text, platforms, or tactics for DET0748, so teams should derive validation from the related ICS technique T0895 Autorun Image. SOC and IR teams should confirm whether they can observe removable media insertion, disk image mounting where applicable, autorun/autoplay configuration state, script or process execution originating from removable media paths, and changes enabling autorun behavior. Detection engineering should be environment-specific because ICS hosts may include legacy operating systems, constrained logging, or segmented networks where endpoint telemetry is inconsistent.
Likely telemetry
- Removable media insertion and mounting events
- Disk image mounting events where collected
- Endpoint process creation events showing execution from removable media or mounted image paths
- Autorun/AutoPlay configuration state or policy evidence
- Script execution logs where enabled
Detection direction
- Validate that logging exists on the ICS asset classes most likely to interact with removable media, especially engineering workstations, operator workstations, and maintenance systems where locally applicable.
- Tune for process or script execution initiated from removable media or mounted image locations, while accounting for legitimate maintenance workflows that may use removable media.
- Monitor for configuration changes that enable AutoRun/AutoPlay or weaken removable-media restrictions.
- Correlate removable media events with subsequent process execution, new files, or security alerts rather than treating insertion alone as malicious.
- Document blind spots where legacy systems, isolated hosts, or vendor-managed assets do not provide sufficient telemetry.
Mitigation priorities
- Disable AutoRun/AutoPlay functionality where possible, consistent with the related technique description.
- Maintain and audit removable media control policies for ICS environments.
- Use configuration baselines to verify that legacy or high-risk systems do not retain permissive autorun settings.
- Restrict and govern removable media use through approved maintenance procedures.
- Ensure incident response playbooks include evidence collection for removable media use, mounted images, autorun configuration, and related process execution.
Analyst notes and limits
This take is based on DET0748 and its relationship to ICS technique T0895 Autorun Image. Because the detection strategy has no official description, detection text, tactics, platforms, or aliases, the practical guidance is intentionally framed around defensible validation questions and telemetry classes implied by the related technique description.
ATT&CK does not specify platforms, tactics, or a formal detection method for this detection strategy. Local asset inventory, operating system details, removable media workflows, and available endpoint telemetry are required to determine actual coverage and risk.
Detection of Autorun Image
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0895 | Autorun Image | This object detects Autorun Image. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bd6554f4de9c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0748Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.