Autorun Image

Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor.

An example could include an adversary gaining access to a hypervisor through the management interface to modify a virtual machine’s hardware configuration. They could then deploy an iso image with a malicious AutoRun script to cause the virtual machine to automatically execute the code contained on the disk image. This would enable the execution of malicious code within a virtual machine without needing any prior remote access to that system.

ID: T0895
Sub-techniques:  No sub-techniques
Tactic: Execution
Version: 1.0
Created: 26 March 2024
Last Modified: 08 April 2024

Procedure Examples

ID Name Description
C0034 2022 Ukraine Electric Power Attack

During the 2022 Ukraine Electric Power Attack, Sandworm Team used existing hypervisor access to map an ISO image named a.iso to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.[1]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0012 Jump Host
A0001 Workstation


ID Mitigation Description
M0928 Operating System Configuration

Configure operating systems to disable the autorun of any specific file types or drives.


ID Data Source Data Component Detects
DS0016 Drive Drive Creation

Monitor for newly constructed drive letters or mount points to removable media.

DS0009 Process Process Creation

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user.