Boot or Logon Autostart Execution: XDG Autostart Entries, Sub-technique T1547.013 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Boot or Logon Autostart Execution: XDG Autostart Entries, Sub-technique T1547.013 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1547">Boot or Logon Autostart Execution</a></li> <li class="breadcrumb-item">XDG Autostart Entries</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Boot or Logon Autostart Execution:</span> XDG Autostart Entries </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Boot or Logon Autostart Execution (14)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1547/001/" class="subtechnique-table-item" data-subtechnique_id="T1547.001"> T1547.001 </a> </td> <td> <a href="/techniques/T1547/001/" class="subtechnique-table-item" data-subtechnique_id="T1547.001"> Registry Run Keys / Startup Folder </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/002/" class="subtechnique-table-item" data-subtechnique_id="T1547.002"> T1547.002 </a> </td> <td> <a href="/techniques/T1547/002/" class="subtechnique-table-item" data-subtechnique_id="T1547.002"> Authentication Package </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/003/" class="subtechnique-table-item" data-subtechnique_id="T1547.003"> T1547.003 </a> </td> <td> <a href="/techniques/T1547/003/" class="subtechnique-table-item" data-subtechnique_id="T1547.003"> Time Providers </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/004/" class="subtechnique-table-item" data-subtechnique_id="T1547.004"> T1547.004 </a> </td> <td> <a href="/techniques/T1547/004/" class="subtechnique-table-item" data-subtechnique_id="T1547.004"> Winlogon Helper DLL </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/005/" class="subtechnique-table-item" data-subtechnique_id="T1547.005"> T1547.005 </a> </td> <td> <a href="/techniques/T1547/005/" class="subtechnique-table-item" data-subtechnique_id="T1547.005"> Security Support Provider </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/006/" class="subtechnique-table-item" data-subtechnique_id="T1547.006"> T1547.006 </a> </td> <td> <a href="/techniques/T1547/006/" class="subtechnique-table-item" data-subtechnique_id="T1547.006"> Kernel Modules and Extensions </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/007/" class="subtechnique-table-item" data-subtechnique_id="T1547.007"> T1547.007 </a> </td> <td> <a href="/techniques/T1547/007/" class="subtechnique-table-item" data-subtechnique_id="T1547.007"> Re-opened Applications </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/008/" class="subtechnique-table-item" data-subtechnique_id="T1547.008"> T1547.008 </a> </td> <td> <a href="/techniques/T1547/008/" class="subtechnique-table-item" data-subtechnique_id="T1547.008"> LSASS Driver </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/009/" class="subtechnique-table-item" data-subtechnique_id="T1547.009"> T1547.009 </a> </td> <td> <a href="/techniques/T1547/009/" class="subtechnique-table-item" data-subtechnique_id="T1547.009"> Shortcut Modification </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/010/" class="subtechnique-table-item" data-subtechnique_id="T1547.010"> T1547.010 </a> </td> <td> <a href="/techniques/T1547/010/" class="subtechnique-table-item" data-subtechnique_id="T1547.010"> Port Monitors </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/012/" class="subtechnique-table-item" data-subtechnique_id="T1547.012"> T1547.012 </a> </td> <td> <a href="/techniques/T1547/012/" class="subtechnique-table-item" data-subtechnique_id="T1547.012"> Print Processors </a> </td> </tr> <tr> <td class="active"> T1547.013 </td> <td class="active"> XDG Autostart Entries </td> </tr> <tr> <td> <a href="/techniques/T1547/014/" class="subtechnique-table-item" data-subtechnique_id="T1547.014"> T1547.014 </a> </td> <td> <a href="/techniques/T1547/014/" class="subtechnique-table-item" data-subtechnique_id="T1547.014"> Active Setup </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/015/" class="subtechnique-table-item" data-subtechnique_id="T1547.015"> T1547.015 </a> </td> <td> <a href="/techniques/T1547/015/" class="subtechnique-table-item" data-subtechnique_id="T1547.015"> Login Items </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user鈥檚 desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (<code>.desktop</code>) to configure the user鈥檚 desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019."data-reference="Free Desktop Application Autostart Feb 2006"><sup><a href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019."data-reference="Free Desktop Entry Keys"><sup><a href="https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p><p>Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the <code>Exec</code> directive in the <code>.desktop</code> configuration file. When the user鈥檚 desktop environment is loaded at user login, the <code>.desktop</code> files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the <code>/etc/xdg/autostart</code> directory while the user entries are located in the <code>~/.config/autostart</code> directory.</p><p>Adversaries may combine this technique with <a href="/techniques/T1036">Masquerading</a> to blend malicious Autostart entries with legitimate programs.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023."data-reference="Red Canary Netwire Linux 2022"><sup><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1547.013 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/techniques/T1547">T1547</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/tactics/TA0003">Persistence</a>, <a href="/tactics/TA0004">Privilege Escalation</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Linux </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Permissions Required: </span>User, root </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Tony Lambert, Red Canary </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>10 September 2019 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>16 October 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1547.013" href="/versions/v16/techniques/T1547/013/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1547.013" href="/versions/v16/techniques/T1547/013/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0235"> S0235 </a> </td> <td> <a href="/software/S0235"> CrossRAT </a> </td> <td> <p><a href="/software/S0235">CrossRAT</a> can use an XDG Autostart to establish persistence.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023."data-reference="Red Canary Netwire Linux 2022"><sup><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0410"> S0410 </a> </td> <td> <a href="/software/S0410"> Fysbis </a> </td> <td> <p>If executing without root privileges, <a href="/software/S0410">Fysbis</a> adds a <code>.desktop</code> configuration file to the user's <code>~/.config/autostart</code> directory.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023."data-reference="Red Canary Netwire Linux 2022"><sup><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017."data-reference="Fysbis Dr Web Analysis"><sup><a href="https://vms.drweb.com/virus/?i=4276269" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/software/S0198">NETWIRE</a> can use XDG Autostart Entries to establish persistence on Linux systems.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020"><sup><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <p><a href="/software/S0192">Pupy</a> can use an XDG Autostart to establish persistence.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023."data-reference="Red Canary Netwire Linux 2022"><sup><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S1078"> S1078 </a> </td> <td> <a href="/software/S1078"> RotaJakiro </a> </td> <td> <p>When executing with user-level permissions, <a href="/software/S1078">RotaJakiro</a> can install persistence using a .desktop file under the <code>$HOME/.config/autostart/</code> folder.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title=" Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023."data-reference="RotaJakiro 2021 netlab360 analysis"><sup><a href="https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1033"> M1033 </a> </td> <td> <a href="/mitigations/M1033"> Limit Software Installation </a> </td> <td> <p>Restrict software installation to trusted repositories only and be cautious of orphaned software packages.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1022"> M1022 </a> </td> <td> <a href="/mitigations/M1022"> Restrict File and Directory Permissions </a> </td> <td> <p>Restrict write access to XDG autostart entries to only select privileged users.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1018"> M1018 </a> </td> <td> <a href="/mitigations/M1018"> User Account Management </a> </td> <td> <p>Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Creation">File Creation</a> </td> <td> <p>Malicious XDG autostart entries may be detected by auditing file creation events within the <code>/etc/xdg/autostart</code> and <code>~/.config/autostart</code> directories. Depending on individual configurations, defenders may need to query the environment variables <code>$XDG_CONFIG_HOME</code> or <code>$XDG_CONFIG_DIRS</code> to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0022-File Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0022/#File%20Modification">File Modification</a> </td> <td> <p>Malicious XDG autostart entries may be detected by auditing file modification events within the <code>/etc/xdg/autostart</code> and <code>~/.config/autostart</code> directories. Depending on individual configurations, defenders may need to query the environment variables <code>$XDG_CONFIG_HOME</code> or <code>$XDG_CONFIG_DIRS</code> to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html" target="_blank"> Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html" target="_blank"> Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://vms.drweb.com/virus/?i=4276269" target="_blank"> Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" target="_blank"> Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Boot or Logon Autostart Execution: XDG Autostart Entries, Sub-technique T1547.013 - Enterprise | MITRE ATT&CK®