Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by 'systemd' (PID 1), especially as root.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | creat, open, write on /etc/systemd/system and /usr/lib/systemd/system |
| Process Creation (DC0032) | auditd:SYSCALL | execve logging for /usr/bin/systemctl and systemd-run |
| Scheduled Job Creation (DC0001) | linux:osquery | file_events |
| Field | Description |
|---|---|
| TimerIntervalThreshold | The interval threshold used to determine if a newly created timer is unusually frequent or immediate (e.g., < 5 minutes). |
| ParentProcessID | Whether the child process has a parent PID of 1, indicating systemd as the invoker. Can be tuned to include known benign cases. |
| UserContext | User under which the timer/service is created or executed (e.g., root vs. non-root). |
| TimerCreationPath | The path where the timer or service file is created; system-wide vs. user space can be scoped. |