Update

After I posted it, @netspooky pinged me with some additional info. Apparently, this technique is known since at least 2019 and was demoed by @zer0pwn first. This blog post from MCG describes various offensive techniques focused on .desktop and .directory files.

Old Post

This entry is a courtesy of Stephan, who has discovered that .desktop files can be used for persistence as well. Apparently, an ElectroRAT malware is already using this trick in the wild as well.

To modify a list of startup application, you can follow these steps: aka press ALT+F2 and type ‘gnome-session-properties’ and enter.

Once you add a new entry f.ex.:

you will find the following .desktop file in your user home .config/autostart sub-directory:

According to this tweet, you can modify the:

NoDisplay=false

line to:

NoDisplay=true

and this way the entry will ‘disappear’ from the ALT+F2 GUI dialog box. As far as I can tell, this doesn’t work (tested on Ubuntu 22.04.1).

In any case, add .config/autostart directories to your DFIR analysis workflow.

Once again, thanks to Stephan who brought this to my attention. While we will probably never experience a true ‘year of linux on the desktop’ phenomenon, it’s good to know what the existing, GUI-oriented, non-power-user-oriented Linux desktop experience brings to the table…

Okay, okay, yup, it is a series now. Part two is here!

Browsing available Ubuntu apps one can find a lot of interesting software. One of them is kchmviewer. Its purpose is to view CHM files – outdated, but still relevant Windows Help files.

Interestingly, one can set up an alternative program to View HTML in this program:

Once this is set up, when you open a CHM file on an Ubuntu OS and hit View HTML button:

your program of choice will be executed (but it may not be visible on UI) :

ps -afx | grep calc
13916 pts/0 S+ 0:00 | _ grep --color=auto calc
13903 ? Sl 0:00 _ /usr/bin/gnome-calculator /tmp/kchmviewer.qpoDLl

It’s a really horrible and desperate persistence mechanism, but we have to document it all, right?