title: XDG Autostart Entries (T1547.013)
id: df00tech-t1547-013
status: experimental
description: "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user's desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (.desktop) to configure the user's desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the Exec directive in the .desktop configuration file. System-wide Autostart entries are located in /etc/xdg/autostart while user entries are located in ~/.config/autostart."
references:
  - https://attack.mitre.org/techniques/T1547/013/
  - https://df00tech.com/detections/T1547.013
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Desktop environment package installations (GNOME, KDE, XFCE) that add .desktop autostart entries for system services like keyring agents, polkit, and accessibility tools"
  - "User-installed applications (Slack, Discord, Spotify, Steam) that create autostart entries during installation or when the user enables 'Start on login'"
  - "System administrators deploying autostart entries via configuration management tools (Ansible, Puppet, Chef) for monitoring agents or corporate tools"
  - "Package manager operations (apt, dnf, pacman) that install or update packages containing XDG autostart entries"
level: medium