T1547.013 IBM QRadar · QRadar

Detect XDG Autostart Entries in IBM QRadar

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user's desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user's desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. System-wide Autostart entries are located in /etc/xdg/autostart while user entries are located in ~/.config/autostart.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.013 XDG Autostart Entries
Canonical reference
https://attack.mitre.org/techniques/T1547/013/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "QIDNAME"(qid) AS event_name,
  PAYLOAD
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (191, 147, 148)
  AND (LOWER(PAYLOAD) LIKE '%/etc/xdg/autostart/%' OR LOWER(PAYLOAD) LIKE '%/.config/autostart/%')
  AND LOWER(PAYLOAD) LIKE '%.desktop%'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
UNION ALL
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "QIDNAME"(qid) AS event_name,
  PAYLOAD
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (191, 147, 148)
  AND (LOWER(PAYLOAD) LIKE '%xdg-autostart%' OR
       (LOWER(PAYLOAD) LIKE '%autostart%' AND
        (LOWER(PAYLOAD) LIKE '% cp %' OR LOWER(PAYLOAD) LIKE '% mv %' OR
         LOWER(PAYLOAD) LIKE '% tee %' OR LOWER(PAYLOAD) LIKE '%echo %' OR
         LOWER(PAYLOAD) LIKE '% printf %')))
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
medium severity medium confidence

QRadar AQL detection for XDG Autostart Entry abuse targeting Linux log sources. Searches syslog and auditd events for file operations involving .desktop files in XDG autostart directories, as well as shell commands copying or writing files to autostart paths. LOGSOURCETYPEID 191 is Linux OS (syslog), 147/148 are auditd variants.

Data Sources

Linux SyslogLinux AuditdQRadar Linux OS DSM

Required Tables

events

False Positives & Tuning

  • Package managers (apt, dpkg, rpm) installing desktop applications routinely create .desktop files in /etc/xdg/autostart/ as part of normal post-install scripts
  • Desktop environment components such as GNOME, KDE, or XFCE may modify autostart entries during system or session updates
  • Monitoring or endpoint agents (e.g., Elastic Agent, Falcon sensor) may trigger file events in these directories during their own installation or update processes
Download portable Sigma rule (.yml)

Other platforms for T1547.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious XDG Autostart Entry (User Level)

    Expected signal: Sysmon for Linux Event ID 11: FileCreate with TargetFilename=~/.config/autostart/df00tech-test.desktop. Audit log: SYSCALL event for openat/creat on the .desktop file path. DeviceFileEvents with ActionType=FileCreated.

  2. Test 2Create System-Wide XDG Autostart Entry

    Expected signal: Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/etc/xdg/autostart/df00tech-sysupdate.desktop, Image=bash (running as root). Audit log: SYSCALL with auid showing the user who ran sudo. DeviceFileEvents with ActionType=FileCreated.

  3. Test 3XDG Autostart Entry via Echo (Inline Creation)

    Expected signal: Sysmon for Linux Event ID 1: Process Create for bash/echo with CommandLine containing autostart and .desktop. Sysmon Event ID 11: FileCreate for the .desktop file. DeviceProcessEvents with ProcessCommandLine containing the echo command.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1547.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1036MasqueradingT1059.004Unix ShellT1053.003CronT1543.002Systemd ServiceT1037.004RC ScriptsT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Persistence

Popular Detections