DET0390: Linux Detection Strategy for T1547.013 - XDG Autostart Entries
This detection strategy is tied to ATT&CK T1547.013, XDG Autostart Entries, a Linux persistence and privilege-escalation behavior where desktop autostart c...
Analyst context for executives and security teams
This detection strategy is tied to ATT&CK T1547.013, XDG Autostart Entries, a Linux persistence and privilege-escalation behavior where desktop autostart configuration can cause programs or commands to run when a user logs in. For leaders, the decision value is whether Linux desktop or workstation environments have enough file-change, login, and process evidence to prove that unexpected autostart behavior would be noticed during routine monitoring or an incident.
Executive priority
Prioritize this where Linux endpoints with graphical desktop environments are business-critical, used by administrators, developers, or privileged users, or included in compliance evidence for endpoint monitoring. The key governance question is not whether ATT&CK names the behavior, but whether the organization can validate legitimate versus unauthorized autostart changes, retain evidence after a suspected compromise, and respond before persistence survives user logins or reboots.
Technical view
ATT&CK provides no official description or detection text for DET0390, so teams should anchor validation to the related technique: XDG Autostart Entries on Linux, associated with persistence and privilege escalation. SOC and detection engineering should confirm visibility into creation or modification of relevant desktop-entry configuration files, the user context making the change, subsequent login events, and processes launched as a result of desktop environment loading. IR playbooks should include review of Linux autostart configuration as a persistence check when investigating suspicious user-session execution.
Likely telemetry
- Linux file creation, modification, and metadata changes for XDG autostart-related .desktop configuration files
- User login/session start events for Linux desktop environments
- Process execution telemetry showing applications or commands launched after user login
- User and privilege context associated with file changes and launched processes
- Endpoint inventory or configuration-management evidence identifying Linux systems with XDG-compliant desktop environments
Detection direction
- Validate that Linux desktop systems are in scope; the detection strategy object itself does not specify platforms, but the related ATT&CK technique is Linux.
- Baseline expected autostart entries for managed Linux images and compare against new, modified, unusual, or user-writable entries.
- Correlate autostart file changes with later login-time process execution to reduce noise and strengthen incident confidence.
- Tune for legitimate software installers, desktop applications, and administrator-driven configuration changes that may update .desktop entries.
- Check for blind spots on developer workstations, non-server Linux endpoints, and systems where EDR or audit collection is weaker for user desktop sessions.
Mitigation priorities
- Establish an approved baseline for Linux desktop autostart configuration on managed endpoints.
- Restrict and monitor write access to autostart locations according to least-privilege and endpoint hardening practices.
- Ensure endpoint logging retains file-change, login, and process-execution evidence long enough to support incident response.
- Include XDG autostart review in Linux persistence triage and post-compromise validation procedures.
- Use configuration management or compliance checks to identify drift from known-good autostart entries.
Analyst notes and limits
The supplied object is a MITRE detection strategy, DET0390, that detects T1547.013 XDG Autostart Entries. Because the official detection and description fields are not provided, this take relies on the stated relationship to the ATT&CK technique and its supplied description, tactics, and platform context.
No official DET0390 detection logic, data sources, analytics, platforms, or procedural examples were supplied. Local validation is required to determine which Linux systems use XDG-compliant desktop environments, what telemetry is collected, and what autostart entries are legitimate in the environment.
Linux Detection Strategy for T1547.013 - XDG Autostart Entries
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | This object detects XDG Autostart Entries. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | daa7d08176c7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0390Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.