DET0231 Behavioral Detection of Systemd Timer Abuse for Scheduled Execution

Item	Value
ID	DET0231
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1053.006 (Systemd Timers)

Analytics

Linux

AN0645

Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by ‘systemd’ (PID 1), especially as root.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	auditd:SYSCALL	creat, open, write on /etc/systemd/system and /usr/lib/systemd/system
Process Creation (DC0032)	auditd:SYSCALL	execve logging for /usr/bin/systemctl and systemd-run
Scheduled Job Creation (DC0001)	linux:osquery	file_events

Mutable Elements

Field	Description
TimerIntervalThreshold	The interval threshold used to determine if a newly created timer is unusually frequent or immediate (e.g., < 5 minutes).
ParentProcessID	Whether the child process has a parent PID of 1, indicating systemd as the invoker. Can be tuned to include known benign cases.
UserContext	User under which the timer/service is created or executed (e.g., root vs. non-root).
TimerCreationPath	The path where the timer or service file is created; system-wide vs. user space can be scoped.