Autostart

Autostart mechanisms allow specific applications, services, or scripts to automatically start when the computer boots up or a user logs on. This is a popular vector for malicious actors trying to establish persistence on a compromised system.

Systemd Services

systemd is a system and service manager for Linux that is responsible for starting, stopping, and managing system services. In order to have services autostart, the unit configuration file needs to be placed in the appropriate directory¹²³.

/usr/lib/systemd/system/: Systemd unit files distributed with installed RPM packages.
/run/systemd/system/: Systemd unit files created at run time. This directory takes precedence over the directory with installed service unit files.
/etc/systemd/system/: Systemd unit files created by systemctl enable as well as unit files added for extending a service. This directory takes precedence over the directory with runtime unit files.

Previous versions of Redhat used /etc/rc.d/init.d/. These are written in BASH scripts. This folder location should be reviewed and any scripts should be thoroughly examined.

Run Lvl	Target Units	Description³
0	runlevel0.target, poweroff.target	Shut down and power off
1	runlevel1.target, rescue.target	Set up a rescue shell
2,3,4	runlevel[234].target, multi-user.target	Set up a non-gfx multi-user shell
5	runlevel5.target, graphical.target	Set up a gfx multi-user shell
6	runlevel6.target, reboot.target	Shut down and reboot the system

Note that all the services defined are not enabled.

In order to get a list of all enabled services, the symlinks from the various run levels need to be examined.

[tlasso@rhel-richmondfc system]$ ls -l multi-user.target.wants
total 0
lrwxrwxrwx. 1 root root 35 Jun 14 02:28 atd.service -> /usr/lib/systemd/system/atd.service
lrwxrwxrwx. 1 root root 38 Jun 14 02:26 auditd.service -> /usr/lib/systemd/system/auditd.service
lrwxrwxrwx. 1 root root 44 Jun 14 02:26 avahi-daemon.service -> /usr/lib/systemd/system/avahi-daemon.service
lrwxrwxrwx. 1 root root 39 Jun 14 02:28 chronyd.service -> /usr/lib/systemd/system/chronyd.service
lrwxrwxrwx. 1 root root 37 Jun 14 02:26 crond.service -> /usr/lib/systemd/system/crond.service
lrwxrwxrwx. 1 root root 33 Jun 14 02:27 cups.path -> /usr/lib/systemd/system/cups.path
lrwxrwxrwx. 1 root root 36 Jun 14 02:27 cups.service -> /usr/lib/systemd/system/cups.service
lrwxrwxrwx. 1 root root 41 Jun 14 02:28 firewalld.service -> /usr/lib/systemd/system/firewalld.service

As seen below, there are several .wants defined in RHEL.

[tlasso@rhel-richmondfc system]$ ls | grep wants
basic.target.wants
bluetooth.target.wants
default.target.wants
dev-virtio\x2dports-org.qemu.guest_agent.0.device.wants
getty.target.wants
graphical.target.wants
local-fs.target.wants
multi-user.target.wants
network-online.target.wants
printer.target.wants
remote-fs.target.wants
sockets.target.wants
sysinit.target.wants
timers.target.wants

XDG autostart

XDG autostart defines a specification to start applications automatically when a desktop environment is started. It does this by placing .desktop files in specific directories. The directories that are used for XDG autostart are⁴:

~/.config/autostart (user-specific)
/etc/xdg/autostart (system-wide)

The most important key in a .desktop file for XDG autostart is the Exec key, which specifies the command that should be run when the application is started.

For example, the vmware-user.desktop file contents are as follows. The Exec defined here is /usr/bin/vmware-user-suid-wrapper will be launched automatically.

[tlasso@rhel-richmondfc etc]$ cat /etc/xdg/autostart/vmware-user.desktop 
[Desktop Entry]
Type=Application

Exec=/usr/bin/vmware-user-suid-wrapper
Name=VMware User Agent
# KDE bug 190522: KDE does not autostart items with NoDisplay=true...
# NoDisplay=true
X-KDE-autostart-phase=1

Scripts

.bashrc file is a script that's executed whenever a new terminal session is opened in interactive mode. It's often used for setting environment variables, defining functions, or customizing the command prompt.

.bash_profile and .bash_loginare similar to .bashrc, but are executed when a login shell session is started, which typically happens when a user logs on at the console, through ssh, or with the su - username command.

These scripts should also be reviewed for malicious actions.

⁵ https://superuser.com/questions/594819/getting-list-of-startup-application-in-linux

⁶ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/chap-managing_services_with_systemd

⁴

https://specifications.freedesktop.org/desktop-entry-spec/latest/

https://unix.stackexchange.com/questions/506347/why-do-most-systemd-examples-contain-wantedby-multi-user-target

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/working-with-systemd-targets_configuring-basic-system-settings

https://unix.stackexchange.com/questions/404667/systemd-service-what-is-multi-user-target/404671

Digital forensics & Intrusion Response Playbook - *nix OS

Autostart

Systemd Services

XDG autostart

Scripts