Detects attempts to spread malware through automatic execution when a USB device is connected, based on AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects USB-propagated malware such as TextImage/Autorun when a USB device is connected. Alerts are extracted when the detected file path corresponds to an autorun.inf file located in the root of a drive.

| search lower(file_path) == "*:\\autorun.inf*"

Message

• AhnLab EPP V3 USB Autorun Malware Detected: Host $host_ip, Malware $signature

Field Order

• _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

• The autorun.inf file created on USB storage devices has traditionally been used for automatic execution and propagation of malware.
• Attackers may use an infected USB to automatically run malicious executables, enabling initial access or spreading malware laterally within an internal network.
• In older Windows environments where execution can occur without user interaction, infection can spread rapidly, making immediate action essential.

False Positive

• Some legitimate USB devices or legacy software may include an autorun.inf file.
• However, modern security environments rarely rely on USB autorun functionality, so the likelihood of false positives is low.

Response Actions

• Perform malware scans and file system checks on both the USB device and the connected endpoint.
• Because the USB may be infected, isolate the device and investigate other endpoints that may have used the same USB.
• Verify that USB autorun functionality is disabled through Group Policy (GPO) or EPP configurations.
• If necessary, strengthen USB storage usage policies and enable detection or blocking of unauthorized USB devices.

MITRE ATT&CK

• Tactic

  • Initial Access, Lateral Movement

• Technique

  • Name: Replication Through Removable Media
  • ID: T1091
  • Reference URL: https://attack.mitre.org/techniques/T1091/