Correlation of file creation/modification of .desktop files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | creat |
| File Access (DC0055) | auditd:SYSCALL | open |
| Process Creation (DC0032) | auditd:EXECVE | Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart |
| File Metadata (DC0059) | linux:osquery | Write or modify .desktop file in XDG autostart path |
| Logon Session Creation (DC0067) | linux:auth | User login event followed by unexpected process tree |
| Field | Description |
|---|---|
| ExecCommandPattern | Regex or allowlist of expected Exec paths within .desktop files. Deviations may be suspicious. |
| AutostartDirectory | May vary by user config (e.g., $XDG_CONFIG_HOME). Must enumerate actual values per system. |
| TimeWindow | Correlate file creation/mod + exec within login window (e.g., 0–5 min of user logon). |
| UserContext | Should filter to non-system users, as XDG persistence typically targets interactive sessions. |
| PackageOriginBaseline | Compare .desktop entries to known package sources (e.g., `dpkg -S`). Unexpected origins may be suspicious. |