Persistence via KDE AutoStart Script or Desktop File Modification

edit

Persistence via KDE AutoStart Script or Desktop File Modification

edit

Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
file where event.type != "deletion" and file.extension in ("sh",
"desktop") and file.path : (
"/home/*/.config/autostart/*", "/root/.config/autostart/*",
"/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
"/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
"/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
"/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
"/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
"/home/*/.config/autostart-scripts/*", "/root/.config/autostart-
scripts/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*"
)

Threat mapping

edit

Framework: MITRE ATT&CKTM