1. Home
  2. Techniques
  3. Enterprise
  4. Scheduled Task/Job
  5. Systemd Timers

Scheduled Task/Job: Systemd Timers

ID Name
T1053.002 At
T1053.003 Cron
T1053.005 Scheduled Task
T1053.006 Systemd Timers
T1053.007 Container Orchestration Job

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.[1] Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.[2]

Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are Systemd Service unit files that are managed by the systemd system and service manager.[3] Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.[4][5][6] Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.[7]

ID: T1053.006
Sub-technique of:  T1053
Platforms: Linux
Contributors: SarathKumar Rajendran, Trimble Inc
Version: 1.3
Created: 12 October 2020
Last Modified: 24 October 2025
Version Permalink

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.

M1022 Restrict File and Directory Permissions

Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.
M1018 User Account Management

Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0231 Behavioral Detection of Systemd Timer Abuse for Scheduled Execution AN0645

Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by 'systemd' (PID 1), especially as root.

References

  1. archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.
  2. Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.
  3. Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.
  4. Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.
  1. Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.
  2. Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.
  3. Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.