T1547.013 XDG Autostart Entries
Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.1
Within an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.2
Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use Masquerading to make XDG autostart entries look as if they are associated with legitimate programs.
| Item | Value |
|---|---|
| ID | T1547.013 |
| Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
| Tactics | TA0003, TA0004 |
| Platforms | Linux |
| Permissions required | User, root |
| Version | 1.0 |
| Created | 10 September 2019 |
| Last Modified | 10 November 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0410 | Fysbis | Fysbis has installed itself as an autostart entry under ~/.config/autostart/dbus-inotifier.desktop to establish persistence.4 |
| S0198 | NETWIRE | NETWIRE can use XDG Autostart Entries to establish persistence.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1033 | Limit Software Installation | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| M1022 | Restrict File and Directory Permissions | Restrict write access to XDG autostart entries to only select privileged users. |
| M1018 | User Account Management | Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
References
-
Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019. ↩
-
Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. ↩