V
Scaner-VSvulnerability catalog · v4.2
ENRU
T1547.013EnterpriseSub-technique
Matrix: Enterprise
Status: Active
STIX: 19.0
Source ↗

XDG Autostart Entries

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory. Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.

Tactics

PersistencePrivilege Escalation

Parent technique

T1547
Boot or Logon Autostart Execution

Platforms

Linux

Mitigations

M1018
User Account Management
M1022
Restrict File and Directory Permissions
M1033
Limit Software Installation
Open in catalog with ATT&CK filter →

Related CAPECs

Affected vulnerabilities (Inferred)

View on attack.mitre.org ↗
No matches — refine the filter to see a result.