T1547.013 XDG Autostart Entries Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AutostartPaths = dynamic(["/etc/xdg/autostart/", "/.config/autostart/"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (AutostartPaths)
| where FileName endswith ".desktop"
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (".config/autostart", "/etc/xdg/autostart", "xdg-autostart")
| where ProcessCommandLine has_any ("cp ", "mv ", "tee ", "cat ", "echo ", "printf ", ">>")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Desktop environment package installations (GNOME, KDE, XFCE) that add .desktop autostart entries for system services like keyring agents, polkit, and accessibility tools
User-installed applications (Slack, Discord, Spotify, Steam) that create autostart entries during installation or when the user enables 'Start on login'
System administrators deploying autostart entries via configuration management tools (Ansible, Puppet, Chef) for monitoring agents or corporate tools
Package manager operations (apt, dnf, pacman) that install or update packages containing XDG autostart entries

Splunk

spl

index=linux sourcetype=syslog
  ("autostart" AND ".desktop")
| eval is_system_wide=if(match(_raw, "/etc/xdg/autostart/"), 1, 0)
| eval is_user_level=if(match(_raw, "\.config/autostart/"), 1, 0)
| table _time, host, user, _raw, is_system_wide, is_user_level
| sort - _time
| append
  [search index=linux sourcetype="linux:audit" type=SYSCALL
    (name="open" OR name="openat" OR name="creat" OR name="rename")
    (a0="*autostart*" OR a1="*autostart*" OR exe="*")
  | search "autostart" AND ".desktop"
  | table _time, host, auid, uid, exe, name, key
  | sort - _time]
| append
  [search index=linux sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    TargetFilename="*autostart*.desktop"
  | table _time, host, User, Image, TargetFilename
  | sort - _time]

medium severity medium confidence

Data Sources

File: File Creation File: File Modification Linux Audit Daemon Sysmon for Linux syslog

Required Sourcetypes

syslog linux:audit XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Desktop environment package installations (GNOME, KDE, XFCE) adding autostart entries for system services
User applications (Slack, Discord, Spotify) creating autostart entries when enabling start-on-login
Configuration management tools (Ansible, Puppet) deploying autostart entries for monitoring agents
Package manager operations (apt, dnf) installing packages with XDG autostart files

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   file.extension == "desktop" and
   (file.path like "/etc/xdg/autostart/*" or file.path like "*/.config/autostart/*")]
  [process where event.action == "start" and
   (process.args like "*autostart*" or process.command_line like "*xdg-autostart*") and
   process.name in ("cp", "mv", "tee", "cat", "bash", "sh", "python3", "python", "perl", "ruby")]

medium severity medium confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (auditd module)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-*

False Positives

Legitimate software installers (e.g., Slack, Zoom, VS Code) create .desktop autostart entries during installation as expected application behavior
System administrators deploying desktop environment configurations via configuration management tools like Ansible or Puppet may create or modify autostart entries in bulk
User-initiated application setup wizards that offer 'Start at login' options commonly write to ~/.config/autostart/ as a standard feature

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "QIDNAME"(qid) AS event_name,
  PAYLOAD
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (191, 147, 148)
  AND (LOWER(PAYLOAD) LIKE '%/etc/xdg/autostart/%' OR LOWER(PAYLOAD) LIKE '%/.config/autostart/%')
  AND LOWER(PAYLOAD) LIKE '%.desktop%'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
UNION ALL
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "QIDNAME"(qid) AS event_name,
  PAYLOAD
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (191, 147, 148)
  AND (LOWER(PAYLOAD) LIKE '%xdg-autostart%' OR
       (LOWER(PAYLOAD) LIKE '%autostart%' AND
        (LOWER(PAYLOAD) LIKE '% cp %' OR LOWER(PAYLOAD) LIKE '% mv %' OR
         LOWER(PAYLOAD) LIKE '% tee %' OR LOWER(PAYLOAD) LIKE '%echo %' OR
         LOWER(PAYLOAD) LIKE '% printf %')))
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

Linux Syslog Linux Auditd QRadar Linux OS DSM

Required Tables

events

False Positives

Package managers (apt, dpkg, rpm) installing desktop applications routinely create .desktop files in /etc/xdg/autostart/ as part of normal post-install scripts
Desktop environment components such as GNOME, KDE, or XFCE may modify autostart entries during system or session updates
Monitoring or endpoint agents (e.g., Elastic Agent, Falcon sensor) may trigger file events in these directories during their own installation or update processes

Sumo Logic CSE

sql

(_sourceCategory=linux/syslog OR _sourceCategory=linux/audit OR _sourceCategory=*linux*)
| where (_raw matches /\/etc\/xdg\/autostart\// or _raw matches /\.config\/autostart\//) and _raw matches /\.desktop/
| parse regex field=_raw "(?<process_name>[a-zA-Z0-9_\-\.]+)\[(?<pid>\d+)\]" nodrop
| parse regex field=_raw "user=(?<user>\S+)" nodrop
| parse regex field=_raw "exe=\"(?<exe>[^\"]+)\"" nodrop
| parse regex field=_raw "(?<autostart_path>(?:/etc/xdg/autostart/|[\w/]*\.config/autostart/)[\w\-\.]+\.desktop)" nodrop
| eval autostart_scope = if(_raw matches /\/etc\/xdg\/autostart\//, "system-wide", if(_raw matches /\.config\/autostart\//, "user-level", "unknown"))
| eval suspicious_write = if(_raw matches /( cp | mv | tee | echo |printf |>>)/, "true", "false")
| where autostart_scope != "unknown" or suspicious_write = "true"
| table _messageTime, _sourceHost, user, process_name, exe, autostart_path, autostart_scope, suspicious_write, _raw
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Linux Syslog Linux Auditd Sumo Logic Installed Collector (Linux)

Required Tables

linux/syslog linux/audit

False Positives

Software deployment pipelines using tools like Chef, Puppet, or Ansible may write .desktop autostart files as part of standard workstation configuration management
User-installed Snap or Flatpak applications automatically create autostart entries in ~/.config/autostart/ during application setup when the user enables autostart features
Linux desktop session management daemons may write temporary or session-tracking .desktop files to autostart directories during normal login/logout cycles

Google Chronicle / SecOps

yaral

rule xdg_autostart_persistence_t1547_013 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of XDG Autostart .desktop files to establish persistence on Linux desktop systems (MITRE T1547.013)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.013"
    severity = "MEDIUM"
    confidence = "MEDIUM"

  events:
    (
      // File write to XDG autostart directories
      $e.metadata.event_type = "FILE_CREATION" or
      $e.metadata.event_type = "FILE_MODIFICATION"
    )
    and (
      $e.target.file.full_path = /\/etc\/xdg\/autostart\/.*\.desktop/ or
      $e.target.file.full_path = /\/.config\/autostart\/.*\.desktop/
    )
    and $e.principal.hostname != ""

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(if($e.target.file.full_path = /\/etc\/xdg\/autostart\//, 75, 50))
    $hostname = $e.principal.hostname
    $file_path = $e.target.file.full_path
    $process_name = $e.principal.process.file.full_path
    $user = $e.principal.user.userid

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle UDM Linux EDR Telemetry osquery

Required Tables

UDM Events (FILE_CREATION, FILE_MODIFICATION, PROCESS_LAUNCH)

False Positives

Enterprise software distribution systems pushing desktop application configurations to managed Linux workstations will routinely create .desktop autostart files as part of standard provisioning workflows
GNOME or KDE desktop environment updates may rewrite or update existing .desktop autostart entries in /etc/xdg/autostart/ when updating system session components
User-controlled startup preference changes via desktop settings panels (e.g., GNOME Tweaks 'Startup Applications') write directly to ~/.config/autostart/, generating benign file creation events

CrowdStrike LogScale (CQL)

cql

// XDG Autostart .desktop file creation or modification
#event_simpleName=MotionDetectionInfoEvent OR #event_simpleName=FileOpenInfo OR #event_simpleName=NewExecutableWritten
| TargetFileName=/(\/etc\/xdg\/autostart\/|\.config\/autostart\/).*\.desktop$/
| eval autostart_scope=if(TargetFileName=/\/etc\/xdg\/autostart\//, "system-wide", "user-level")
| table([_timstamp, ComputerName, UserName, TargetFileName, autostart_scope, ImageFileName, CommandLine])
| sort(_timstamp, order=desc)

// Alternative: process writing to autostart paths via shell commands
| union [
  #event_simpleName=ProcessRollup2
  | CommandLine=/(autostart|xdg-autostart)/
  | CommandLine=/( cp | mv | tee |echo |printf |>>)/
  | ImageFileName=/(\/bin\/sh|\/bin\/bash|\/usr\/bin\/python|\/usr\/bin\/perl|\/usr\/bin\/cp|\/usr\/bin\/mv|\/usr\/bin\/tee)/
  | table([_timstamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
  | sort(_timstamp, order=desc)
]

medium severity low confidence

Data Sources

CrowdStrike Falcon EDR Falcon for Linux

Required Tables

ProcessRollup2 NewExecutableWritten FileOpenInfo MotionDetectionInfoEvent

False Positives

CrowdStrike Falcon sensor updates or Linux agent installations may themselves trigger file write events in monitored directories if the agent registers itself as an autostart service on desktop Linux systems
IT asset management tools (e.g., Landscape, Puppet agent) performing scheduled configuration enforcement may repeatedly write known-good .desktop autostart entries, generating recurring alerts
Developer workstations running build or test automation scripts that provision local desktop environments as part of integration testing pipelines may write .desktop files to autostart directories programmatically

XDG Autostart Entries

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections