T1547.013: XDG Autostart Entries
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop
) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.
Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec
directive in the .desktop
configuration file. When the user’s desktop environment is loaded at user login, the .desktop
files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart
directory while the user entries are located in the \~/.config/autostart
directory.
Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_persistence: PT-CR-1666: Unix_Autostart_Modify: XDG Autostart file change
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Malicious XDG autostart entries may be detected by auditing file modification events within the |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Malicious XDG autostart entries may be detected by auditing file creation events within the |
---|
Mitigation
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Restrict write access to XDG autostart entries to only select privileged users. |
---|
ID | M1018 | Name | User Account Management | Description | Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries. |
---|
ID | M1033 | Name | Limit Software Installation | Description | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
---|