DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries

Item	Value
ID	DET0390
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.013 (XDG Autostart Entries)

Analytics

Linux

AN1096

Correlation of file creation/modification of .desktop files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	auditd:SYSCALL	creat
File Access (DC0055)	auditd:SYSCALL	open
Process Creation (DC0032)	auditd:EXECVE	Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart
File Metadata (DC0059)	linux:osquery	Write or modify .desktop file in XDG autostart path
Logon Session Creation (DC0067)	linux:auth	User login event followed by unexpected process tree

Mutable Elements

Field	Description
ExecCommandPattern	Regex or allowlist of expected Exec paths within .desktop files. Deviations may be suspicious.
AutostartDirectory	May vary by user config (e.g., $XDG_CONFIG_HOME). Must enumerate actual values per system.
TimeWindow	Correlate file creation/mod + exec within login window (e.g., 0–5 min of user logon).
UserContext	Should filter to non-system users, as XDG persistence typically targets interactive sessions.
PackageOriginBaseline	Compare .desktop entries to known package sources (e.g., `dpkg -S`). Unexpected origins may be suspicious.