MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1547.013: XDG Autostart Entries

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the \~/.config/autostart directory.

Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_persistence: PT-CR-1666: Unix_Autostart_Modify: XDG Autostart file change

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.

IDDS0022Data source and componentFile: File ModificationDescription

Malicious XDG autostart entries may be detected by auditing file modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

IDDS0022Data source and componentFile: File CreationDescription

Malicious XDG autostart entries may be detected by auditing file creation events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Restrict write access to XDG autostart entries to only select privileged users.

IDM1018NameUser Account ManagementDescription

Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.

IDM1033NameLimit Software InstallationDescription

Restrict software installation to trusted repositories only and be cautious of orphaned software packages.