XDG Autostart Entries

Linux Detection Strategy for T1547.013 - XDG Autostart Entries

Restrict File and Directory Permissions: Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

• Remove unnecessary write permissions on sensitive files and directories.
• Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

• Disable anonymous access to shared folders.
• Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.

On Linux, apply: chmod 750 /etc/sensitive.conf chown root:admin /etc/sensitive.conf

File Integrity Monitoring (FIM):

• Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

• Enable auditing to track permission changes or unauthorized access attempts.
• Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

• Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu.

Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.

• On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F
• On Linux, monitor permissions using tools like lsattr or auditd.

User Account Management: User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

• Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
• Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

• Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
• Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

• Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
• Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

• Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
• Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

• Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
• Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

• Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
• Use Case: Protects sensitive accounts from misuse or exploitation.

Tools for Implementation

Built-in Tools:

• Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
• Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

• Okta: Centralized user provisioning, MFA, and SSO integration.
• Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM):

• CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Limit Software Installation: Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:

Application Whitelisting

• Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software.
• Whitelist applications based on file hash, path, or digital signatures.

Restrict User Permissions

• Remove local administrator rights for all non-IT users.
• Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.

Software Restriction Policies (SRP)

• Use GPO to configure SRP to deny execution of binaries from directories such as %AppData%, %Temp%, and external drives.
• Restrict specific file types (.exe, .bat, .msi, .js, .vbs) to trusted directories only.

Endpoint Management Solutions

• Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management.
• Maintain a list of approved software, versions, and updates across the enterprise.

Monitor Software Installation Events

• Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs.
• Use SIEM or EDR tools to alert on attempts to install unapproved software.

Implement Software Inventory Management

• Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers.
• Conduct regular audits to detect and remove unapproved software.

Tools for Implementation

Application Whitelisting:

• Microsoft AppLocker
• Windows Defender Application Control (WDAC)

Endpoint Management:

• Microsoft Intune
• SCCM (System Center Configuration Manager)
• Jamf Pro (macOS)
• Puppet or Ansible for automation

Software Restriction Policies:

• Group Policy Object (GPO)
• Microsoft Software Restriction Policies (SRP)

Monitoring and Logging:

• Splunk
• OSQuery
• Wazuh (open-source SIEM and XDR)
• EDRs

Inventory Management and Auditing:

• OSQuery
• Wazuh