After I posted it, @netspooky pinged me with some additional info. Apparently, this technique is known since at least 2019 and was demoed by @zer0pwn first. This blog post from MCG describes various offensive techniques focused on .desktop and .directory files.
To modify a list of startup application, you can follow these steps: aka press ALT+F2 and type ‘gnome-session-properties’ and enter.
Once you add a new entry f.ex.:
you will find the following .desktop file in your user home .config/autostart sub-directory:
According to this tweet, you can modify the:
and this way the entry will ‘disappear’ from the ALT+F2 GUI dialog box. As far as I can tell, this doesn’t work (tested on Ubuntu 22.04.1).
In any case, add .config/autostart directories to your DFIR analysis workflow.
Once again, thanks to Stephan who brought this to my attention. While we will probably never experience a true ‘year of linux on the desktop’ phenomenon, it’s good to know what the existing, GUI-oriented, non-power-user-oriented Linux desktop experience brings to the table…