Boot or Logon Autostart Execution: XDG Autostart Entries
Other sub-techniques of Boot or Logon Autostart Execution (15)
Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart
or ~/.config/autostart
directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)
Within an XDG autostart entry file, the Type
key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name
key indicates an arbitrary name assigned by the creator and the Exec
key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)
Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use Masquerading to make XDG autostart entries look as if they are associated with legitimate programs.
Procedure Examples |
|
Name | Description |
---|---|
NETWIRE |
NETWIRE can use XDG Autostart Entries to establish persistence.(Citation: Red Canary NETWIRE January 2020) |
Fysbis |
Fysbis has installed itself as an autostart entry under |
Mitigations |
|
Mitigation | Description |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Limit Software Installation |
Block users or groups from installing unapproved software. |
Detection
Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart
and ~/.config/autostart
directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME
or $XDG_CONFIG_DIRS
to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.
Suspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.
References
- Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019.
- Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.