T1547.013
Boot or Logon Autostart Execution: XDG Autostart Entries

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.[1]

Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.[2]

Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use Masquerading to make XDG autostart entries look as if they are associated with legitimate programs.

ID: T1547.013
Sub-technique of:  T1547
Platforms: Linux
Permissions Required: User, root
Contributors: Tony Lambert, Red Canary
Version: 1.0
Created: 10 September 2019
Last Modified: 10 November 2020
Version Permalink

Procedure Examples

ID Name Description
S0410 Fysbis

Fysbis has installed itself as an autostart entry under ~/.config/autostart/dbus-inotifier.desktop to establish persistence.[3]

S0198 NETWIRE

NETWIRE can use XDG Autostart Entries to establish persistence.[4]

Mitigations

ID Mitigation Description
M1033 Limit Software Installation

Restrict software installation to trusted repositories only and be cautious of orphaned software packages.

M1022 Restrict File and Directory Permissions

Restrict write access to XDG autostart entries to only select privileged users.

M1018 User Account Management

Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.

DS0022 File File Creation

Malicious XDG autostart entries may be detected by auditing file creation events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

    File Modification

Malicious XDG autostart entries may be detected by auditing file modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.

DS0009 Process Process Creation

Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.

References

  1. Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.
  2. Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019.
  1. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  2. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

連絡先:@amj_trans

 

MITRE ATT&CK 日本語化プロジェクト