AN1096: Analytic 1096
Correlation of file creation/modification of `.desktop` files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.
Analyst context for executives and security teams
AN1096 is a Linux detection analytic focused on suspicious `.desktop` autostart entries: files created or modified in XDG autostart directories that later cause processes to run when a user logs in. For leaders, the value is in validating whether Linux workstations or desktop-enabled servers can reveal unauthorized login-startup behavior before it becomes persistent access that complicates incident response.
Executive priority
Prioritize this where Linux endpoints support administrative, engineering, developer, or operational workflows. The business question is whether security teams can prove they monitor user-login persistence paths, distinguish approved application autostarts from anomalous entries, and produce evidence for incident response or compliance reviews. This is not enough by itself to establish compromise, but weak visibility into autostart locations can leave persistence mechanisms outside normal SOC coverage.
Technical view
For Linux systems, validate correlation between `.desktop` file creation or modification in XDG autostart directories and subsequent process execution at user login initiated by the desktop environment. Analysts should inspect the `.desktop` name, Exec path, command line, file owner, timestamp, and whether the entry maps to an installed package. The supplied ATT&CK object does not provide a complete detection rule, tactic mapping, or relationship context, so local baselining is required.
Likely telemetry
- Linux file creation and modification events for `.desktop` files in XDG autostart directories
- User login or graphical session start events
- Process creation events tied to desktop-environment launch activity
- Command line and executable path from `.desktop` Exec fields
- File ownership, permissions, and timestamps
Detection direction
- Correlate new or changed `.desktop` files in XDG autostart paths with processes launched at later user login.
- Flag suspicious Exec paths, unusual names, user-writable locations, or entries not associated with installed packages.
- Baseline legitimate desktop application autostarts to reduce false positives from normal software updates or user-installed applications.
- Validate that endpoint telemetry captures both the file event and the later process execution; missing either side weakens the analytic.
- Review events in context of the affected user account, host role, and recent software installation activity.
Mitigation priorities
- Inventory and baseline expected XDG autostart entries on Linux desktop environments.
- Ensure endpoint logging captures relevant file and process activity on Linux systems where desktop sessions are used.
- Restrict unnecessary write access to autostart locations where operationally feasible.
- Use package management records to help distinguish approved software entries from unmanaged files.
- During incident response, remove unauthorized autostart entries and validate whether associated executables or scripts remain present.
Analyst notes and limits
This analytic is most useful as a persistence-oriented correlation check for Linux graphical environments. It should be treated as a validation target for managed detection and IR readiness: can the team see the file change, understand whether it is package-backed, and connect it to login-time execution?
The supplied ATT&CK object provides no official detection logic, no tactics, and no relationships. It supports Linux only. Local environment baselines, package metadata, and endpoint telemetry quality determine practical usefulness. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.
Analytic 1096
Correlation of file creation/modification of `.desktop` files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 935f2e1e2ee5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1096Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.