Skip to content
Threat Feed
medium advisory

Suspicious XDG-Open Command Execution on Linux

This brief details a detection rule for the `xdg-open` command on Linux systems, which attackers abuse to trick users into opening malicious documents or URLs, leading to user execution and potential system compromise.

This intelligence describes a detection opportunity concerning the xdg-open utility on Linux systems. While xdg-open is a legitimate command used to open files or URLs in a user's preferred desktop application, it can be leveraged by adversaries as part of an initial access or execution chain. Attackers might craft spearphishing emails containing malicious links or documents that, when opened by the user, trigger xdg-open to execute their payload. This technique relies on user interaction (User Execution, T1204) to bypass security controls and initiate further malicious activity. This specific detection rule, developed by Elastic, targets the execution of xdg-open itself, aiming to identify instances where it might be invoked as a result of user interaction with malicious content. The rule was published on July 2nd, 2026, and provides a generic detection for this common Linux utility's suspicious usage.

Attack Chain

  1. Initial Access / User Interaction: An attacker sends a spearphishing email or hosts a malicious website presenting a malicious link or file (e.g., a .desktop file, a crafted document, or a URL).
  2. User Execution: The target user, tricked by social engineering, interacts with the malicious content, either by clicking a link or opening a file.
  3. xdg-open Invocation: The user's desktop environment or a script silently invokes xdg-open to handle the malicious link or file, believing it to be legitimate.
  4. Malicious Payload Delivery/Execution: xdg-open attempts to open the attacker-controlled resource, which could be a remote URL hosting an exploit, a local malicious script, or a document embedded with macros or other executable content.
  5. Initial Compromise: Successful exploitation leads to arbitrary code execution on the user's system.
  6. Further Actions: The attacker can then establish persistence, exfiltrate data, or deploy additional malware.

Impact

A successful exploit leveraging xdg-open can lead to initial system compromise, allowing attackers to execute arbitrary code with the privileges of the compromised user. Depending on the payload delivered, this could result in data exfiltration, installation of ransomware or other malware, or the establishment of a foothold for lateral movement within the network. This technique is often used as a gateway for more extensive attacks, impacting user workstations and potentially leading to broader organizational breaches. The primary impact is the loss of confidentiality, integrity, and availability of data and systems.

Recommendation

  • Deploy the provided Sigma rule to your SIEM/EDR platform to detect suspicious xdg-open command executions on Linux endpoints.
  • Ensure process creation logging for Linux systems (process_creation category, linux product) is enabled and forwarded to your security platforms for analysis.
  • Educate users about the risks of opening unsolicited attachments or clicking on suspicious links to mitigate the effectiveness of User Execution (T1204).

Detection coverage 1

XDG-Open Command Execution

medium

Detects the execution of the xdg-open process, which attackers may use to trick users into opening malicious documents or URLs to gain access to the target system.

sigma tactics: execution techniques: T1204, T1204.001, T1204.002 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →