Description
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)
Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.
Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Restrict write access to XDG autostart entries to only select privileged users.
User Account ManagementM1018
Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.
Limit Software InstallationM1033
Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has established persistence using [InvisibleFerret](https://attack.mitre.org/software/S1... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can use XDG Autostart Entries to establish persistence on Linux systems.(Citation: Red Canary NETWI... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can use an XDG Autostart to establish persistence.(Citation: Red Canary Netwire Linux 2022) |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has established persistence within GNOME-based Linux environments by placing entries within... |
| S0235 | CrossRAT | Malware | [CrossRAT](https://attack.mitre.org/software/S0235) can use an XDG Autostart to establish persistence.(Citation: Red Canary Netwire Linux 2022) |
| S1078 | RotaJakiro | Malware | When executing with user-level permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) can install persistence using a .desktop file under ... |
| S0410 | Fysbis | Malware | If executing without root privileges, [Fysbis](https://attack.mitre.org/software/S0410) adds a `.desktop` configuration file to the user's `~/.config/... |
References
- Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.
- Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved November 17, 2024.
- TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.
Frequently Asked Questions
What is T1547.013 (XDG Autostart Entries)?
T1547.013 is a MITRE ATT&CK technique named 'XDG Autostart Entries'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-comp...
How can T1547.013 be detected?
Detection of T1547.013 (XDG Autostart Entries) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.013?
There are 3 documented mitigations for T1547.013. Key mitigations include: Restrict File and Directory Permissions, User Account Management, Limit Software Installation.
Which threat groups use T1547.013?
Known threat groups using T1547.013 include: Contagious Interview.