T1053.006: Systemd Timers
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer
that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl
command line utility, which operates over SSH.
Each .timer
file must have a corresponding .service
file with the same name, e.g., example.timer
and example.service
. .service
files are Systemd Service unit files that are managed by the systemd system and service manager. Privileged timers are written to /etc/systemd/system/
and /usr/lib/systemd/system
while user level are written to ~/.config/systemd/user/
.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence. Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_persistence: PT-CR-1664: Unix_Systemd_Timers: Persistence on a host was gained using systemd timer files. Attackers can use a timer to execute malicious code at system startup or based on a schedule to gain persistence and escalate privileges.
Detection
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to systemd timer unit files for unexpected modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers |
---|
ID | DS0003 | Data source and component | Scheduled Job: Scheduled Job Creation | Description | Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files. |
---|
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Restrict read/write access to systemd |
---|