BCY-ADV-2026-011 TECHNIQUE

USB & Removable Media AutoRun Malware
MITRE T1091 · Physical Vector · No User Interaction on Insertion · One Registry Key Fixes It

MITRE T1091USBAutoRunAutoPlayPhysicalRemovable MediaNo CVE
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
AutoRun and AutoPlay allow executable content on USB drives to execute automatically when the drive is inserted — without any user interaction beyond plugging in the device. This is a configuration weakness, not a software vulnerability. It has been used in physical attack scenarios, supply chain attacks, and adversarial testing for decades. One registry key eliminates the entire attack class.
Technique Details
MITRE ATT&CK: T1091 — Replication Through Removable Media
No CVE: Configuration weakness — not a software bug
Tools: USB Rubber Ducky, O.MG Cable, malicious USB drives, BadUSB
Mitigation: Disable AutoRun for all drive types via registry (single key)
How It Works
Windows reads the autorun.inf file on inserted removable media and executes the specified program. Even without autorun.inf, AutoPlay presents the user with options that can include executable content. Physical attackers drop USB drives in parking lots, mail them to targets, or insert them directly. In insider threat scenarios, employees may deliberately or accidentally introduce malicious drives. The Stuxnet worm — which destroyed Iranian nuclear centrifuges — used USB AutoRun as its initial propagation vector in air-gapped environments.
Detection
Check AutoRun status (PowerShell):
# Check NoDriveTypeAutoRun value — 255 = all drives disabled Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` -Name NoDriveTypeAutoRun -ErrorAction SilentlyContinue Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` -Name NoDriveTypeAutoRun -ErrorAction SilentlyContinue
# Safe result (255 = all drive types disabled): NoDriveTypeAutoRun : 255
Event log — detect USB insertion and execution:
# Event ID 20001 — new USB device installed # Event ID 6416 — new external device recognized (requires audit policy) Get-WinEvent -FilterHashtable @{LogName='System';Id=20001} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List
IOCs
File autorun.inf on USB drive root Process Unexpected process spawned immediately after USB insertion Event ID 20001 New USB device installed (System log) Event ID 6416 New external device recognized (requires advanced audit) Registry HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (USB device history) File System Executable files (.exe, .bat, .ps1) in USB drive root Network Outbound connections immediately following USB insertion
Mitigation — PowerShell Commands

Step 1 — Disable AutoRun for all drive types (system-wide):

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f

Step 2 — Disable AutoRun at user level (belt and suspenders):

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f

Step 3 — Disable AutoPlay via Group Policy (prevents AutoPlay prompt):

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f

Verify:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name NoDriveTypeAutoRun # Expected: NoDriveTypeAutoRun : 255

Sources
MITRE ATT&CK — T1091 Replication Through Removable Media
Microsoft — How to disable AutoRun
BCY-ADV-2026-011 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Questions? warren@barr-cyber.com
Barr Cyber — Endpoint Hardening & System Configuration

AutoRun disablement for all drive types is applied in every Barr Cyber endpoint hardening engagement — a single registry key that eliminates an entire class of physical attack vectors.

Get in Touch →
← PowerShell LOTL All Advisories Next — Default Account Names →