Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M0928: Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

ICSM0928MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Operating System Configuration is a hardening mitigation for ICS environments: make OS-level configuration changes that reduce exposure to adversary techniques. In the supplied ATT&CK context, its decision value is strongest around removable media risk, including malware transfer into isolated control environments and abuse of AutoRun or AutoPlay-like behavior. For leaders, this is a governance and resilience issue: systems that are separated from enterprise networks can still be exposed through trusted people, suppliers, contractors, and portable media.

Executive priority

Prioritize this mitigation where control-system workstations, engineering stations, or other ICS-adjacent assets may interact with removable media. The business question is whether OS baselines actually prevent unsafe execution paths, especially AutoRun/AutoPlay behavior, and whether exceptions are documented for operational need. This mitigation also supports compliance evidence mapped in ATT&CK to IEC 62443-3-3 SR 7.7, IEC 62443-4-2 CR 7.7, and NIST SP 800-53 Rev. 5 CM-7, making it relevant to audit readiness and configuration management accountability.

Technical view

SOC, IR, and engineering teams should validate that OS hardening standards address the related ICS techniques: T0847 Replication Through Removable Media and T0895 Autorun Image. Because ATT&CK provides no detection text and no specific platforms for M0928, coverage should be assessed locally through configuration baselines, change records, endpoint policy state, and removable-media handling evidence. Detection engineering should focus less on the mitigation object itself and more on proving that risky OS features are disabled or controlled and that deviations from the approved baseline are visible.

Likely telemetry

  • Operating system configuration baseline records and compliance scan results
  • Endpoint management or configuration management policy state
  • Change management records for OS hardening settings and exceptions
  • Removable media insertion or device-use logs where available
  • Endpoint security alerts or logs related to execution from removable media

Detection direction

  • Validate whether monitoring can identify systems where required OS hardening settings are missing, changed, or excepted.
  • Tune reviews around removable media workflows, because the related techniques involve physical introduction of media into ICS environments rather than purely network-based access.
  • Correlate configuration drift with asset criticality and physical/vendor access paths; isolated systems may be high risk even with limited network telemetry.
  • Treat false positives carefully: some operational environments may require approved removable media use, so detection should distinguish authorized exceptions from unmanaged configuration drift.
  • Because MITRE provides no official detection guidance for this mitigation, rely on local baseline evidence, configuration assessment, and incident-response lessons learned.

Mitigation priorities

  • Define an approved OS hardening baseline for ICS-relevant assets, including common OS features that could enable execution from removable media.
  • Disable or restrict AutoRun/AutoPlay-like behavior where operationally feasible, since the related ATT&CK technique specifically describes abuse of that functionality.
  • Document and approve any exceptions needed for operations, suppliers, or maintenance workflows.
  • Continuously verify configuration state through configuration management or compliance assessment rather than relying on build-time assumptions.
  • Align evidence collection with IEC 62443 and NIST CM-7 mappings so security controls can also support audit and governance requirements.
Analyst notes and limits

This is a mitigation object, not an adversary behavior. The strongest relationship-driven context is removable media risk in ICS, including movement into environments separated from enterprise networks and execution through AutoRun-related features. Glexia would use this object to drive hardening validation, exception governance, and evidence collection rather than to create a standalone detection rule.

ATT&CK does not specify platforms, tactics, aliases, or detection guidance for M0928 in the supplied fields. The related technique descriptions are truncated in the source context. Local operating systems, asset roles, approved maintenance processes, and available telemetry must determine the exact control and detection implementation.

Official MITRE ATT&CK definition

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T0847 Replication Through Removable Media

Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.
ICS T0895 Autorun Image

Configure operating systems to disable the autorun of any specific file types or drives.
Relationship explorer

All related ATT&CK context

mitigates · Technique T0847: Replication Through Removable Media ICS mitigates · Technique T0895: Autorun Image ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7f29bd062a227e52...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7f29bd062a22…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M0928
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use