Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0895: Autorun Image

Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor.

An example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine’s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.

ICST0895TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Autorun Image matters because it turns removable or virtually mounted media into a code-execution path, including in ICS environments where operator workstations, HMIs, historians, control servers, application servers, and jump hosts may support operations. The business concern is not just USB use; the ATT&CK description also highlights virtual machine environments where an ISO could be mapped through a hypervisor and execute inside a guest without prior remote access to that system.

Executive priority

Prioritize confirmation that AutoRun/AutoPlay-style behavior is disabled or hardened on ICS-supporting systems and that changes involving removable or virtual media are visible to security and operations teams. This is especially important for operational resilience because the targeted asset relationships include systems central to monitoring, control, remote access, and engineering workflows. Leaders should ask whether OT workstations, HMIs, jump hosts, and virtualized ICS servers have documented configuration baselines and audit evidence showing these features are controlled.

Technical view

ATT&CK provides no official detection text for T0895, but it does identify DET0748 as a related detection strategy and M0928 Operating System Configuration as a mitigation. SOC and IR teams should validate whether they can observe media mount activity, process starts from removable or disk-image sources, AutoRun/AutoPlay configuration state, and hypervisor-side virtual media mapping or VM hardware configuration changes. Because the technique platforms are not specified for the technique itself, validation should be scoped around the related ICS assets and their stated Linux, Windows, or Embedded platforms rather than assuming universal coverage.

Likely telemetry

  • Operating system configuration evidence showing whether AutoRun or AutoPlay functionality is enabled or disabled
  • Removable media insertion or mount events, including USB and disk image or ISO mounts where available
  • Process execution telemetry showing command lines, parent processes, and execution paths associated with mounted media
  • File creation or access events on removable media or mounted disk images
  • Hypervisor or virtualization management logs for virtual media attachment and VM hardware configuration changes

Detection direction

  • Use DET0748 as the ATT&CK-linked detection strategy reference, but require local detection logic and data-source validation because the technique object does not include official detection guidance.
  • Tune for execution that originates from newly mounted removable media or disk images, especially where the host normally should not execute software from those locations.
  • Correlate guest operating system execution events with hypervisor-side events such as ISO attachment or virtual hardware configuration changes.
  • Treat jump hosts, HMIs, engineering workstations, and control/application servers as high-value review points because they are related target assets for this technique.
  • Account for false positives from legitimate maintenance, software installation, engineering tools, and vendor support workflows that use removable or mounted media.

Mitigation priorities

  • Establish and verify hardened operating system configuration for AutoRun/AutoPlay behavior, consistent with M0928 Operating System Configuration.
  • Maintain configuration baselines for ICS-supporting assets and include evidence that removable-media autorun behavior is disabled or controlled.
  • Review and control the use of removable media and disk images in operational environments, especially for maintenance and engineering workflows.
  • For virtualized environments, ensure virtual media attachment and VM hardware configuration changes are governed, logged, and reviewed.
  • Prioritize validation on related ICS assets: workstations, HMIs, data historians, control servers, application servers, and jump hosts.
Analyst notes and limits

The campaign relationship to C0034 indicates ATT&CK associates Autorun Image with the 2022 Ukraine Electric Power Attack, but that should not be interpreted as evidence of current exploitation in any specific environment. The most useful defensive question is whether the organization can prove that autorun behavior and virtual media workflows are controlled on systems that support monitoring, control, remote access, and operational analysis.

The supplied ATT&CK object does not specify tactics, technique platforms, or official detection details. Telemetry and control recommendations therefore rely on the official description, the DET0748 detection-strategy relationship, the M0928 mitigation relationship, and the listed ICS asset relationships. Local operating system versions, virtualization architecture, logging configuration, and maintenance practices are required to determine actual exposure and coverage.

Official MITRE ATT&CK definition

Autorun Image

Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor.

An example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine’s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0008: Application Server ICS targets · ICS Asset A0001: Workstation ICS targets · ICS Asset A0006: Data Historian ICS mitigates · Mitigation M0928: Operating System Configuration ICS detects · Detection Strategy DET0748: Detection of Autorun Image ICS targets · ICS Asset A0012: Jump Host ICS uses · Campaign C0034: 2022 Ukraine Electric Power Attack ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0007: Control Server ICS
Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ea02976cfcab3276...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ea02976cfcab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0895
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use