Scheduled Task/Job: Systemd Timers

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.[1] Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.[2]

Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are Systemd Service unit files that are managed by the systemd system and service manager.[3] Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.[4][5][6] Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.[7]

ID: T1053.006
Sub-technique of:  T1053
Platforms: Linux
Permissions Required: User, root
Supports Remote:  Yes
Contributors: SarathKumar Rajendran, Trimble Inc
Version: 1.2
Created: 12 October 2020
Last Modified: 15 October 2024

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.

M1022 Restrict File and Directory Permissions

Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.

M1018 User Account Management

Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers.

Analytic 1 - Look for systemd-run execution with arguments indicative of timer creation.

sourcetype=linux_logs (command="systemctl" OR command="systemd-run")

DS0022 File File Modification

Monitor for changes made to systemd timer unit files for unexpected modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links.

Analytic 1 - Look for systemd timer file modifications with unusual parameters.

sourcetype=linux_file_audit (file_path="/etc/systemd/system/.timer" OR file_path="/etc/systemd/system/.service" OR file_path="~/.config/systemd/user/.timer" OR file_path="/usr/lib/systemd/system/.timer")| stats count by user host file_path action| where action="Create" OR action="Write"

DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Note: This query looks for processes spawned by systemd (parent process systemd, with a PID of 1). These processes should be examined for anomalous behavior, particularly when running as the root user.

Analytic 1 - Look for processes with parent process systemdand unusual parameters.

sourcetype=linux_process_creation parent_process_name="systemd"

DS0003 Scheduled Job Scheduled Job Creation

Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.

Analytic 1 - Look for systemd timer creation events with unusual parameters.

sourcetype=linux_logs (command="systemctl start .timer" OR command="systemctl enable .timer" OR command="systemctl daemon-reload")

References