Ctrl+K

T1547.013 - XDG Autostart Entries

T1547.013 - XDG Autostart Entries#

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.

Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables \(XDG_CONFIG_HOME</code> or <code>\)XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

Suspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.

Contents