IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Persistence via Hidden Run Key Detected Persistence via Login or Logout Hook »
Elastic Docs Elastic Security Solution [7.16] Detections and alerts Prebuilt rule reference

Persistence via KDE AutoStart Script or Desktop File Modification

edit

Persistence via KDE AutoStart Script or Desktop File Modification

edit

Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
file where event.type != "deletion" and file.extension in ("sh",
"desktop") and file.path : (
"/home/*/.config/autostart/*", "/root/.config/autostart/*",
"/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
"/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
"/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
"/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
"/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
"/home/*/.config/autostart-scripts/*", "/root/.config/autostart-
scripts/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*"
)

Threat mapping

edit

Framework: MITRE ATT&CKTM

« Persistence via Hidden Run Key Detected Persistence via Login or Logout Hook »