1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. XDG Autostart Entries

Boot or Logon Autostart Execution: XDG Autostart Entries

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.[1][2]

Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. When the user’s desktop environment is loaded at user login, the .desktop files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the /etc/xdg/autostart directory while the user entries are located in the ~/.config/autostart directory.

Adversaries may combine this technique with Masquerading to blend malicious Autostart entries with legitimate programs.[3]

ID: T1547.013
Sub-technique of:  T1547
Platforms: Linux
Contributors: Tony Lambert, Red Canary
Version: 1.2
Created: 10 September 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1052 Contagious Interview

Contagious Interview has established persistence using InvisibleFerret malware to create a .desktop entry to run on startup on GNOME-based Linux devices.[4]
S0235 CrossRAT

CrossRAT can use an XDG Autostart to establish persistence.[3]
S0410 Fysbis

If executing without root privileges, Fysbis adds a .desktop configuration file to the user's ~/.config/autostart directory.[3][5]
S1245 InvisibleFerret

InvisibleFerret has established persistence within GNOME-based Linux environments by placing entries within .desktop that run on Startup.[4]
S0198 NETWIRE

NETWIRE can use XDG Autostart Entries to establish persistence on Linux systems.[6]
S0192 Pupy

Pupy can use an XDG Autostart to establish persistence.[3]
S1078 RotaJakiro

When executing with user-level permissions, RotaJakiro can install persistence using a .desktop file under the $HOME/.config/autostart/ folder.[7]

Mitigations

ID Mitigation Description
M1033 Limit Software Installation

Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
M1022 Restrict File and Directory Permissions

Restrict write access to XDG autostart entries to only select privileged users.
M1018 User Account Management

Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0390 Linux Detection Strategy for T1547.013 - XDG Autostart Entries AN1096

Correlation of file creation/modification of .desktop files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.

References

  1. Free Desktop. (2006, February 13). Desktop Application Autostart Specification. Retrieved September 12, 2019.
  2. Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved November 17, 2024.
  3. TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.
  4. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  1. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  2. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  3. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.