T1053.006 Systemd Timers
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension
.timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.1 Systemd timers may be activated remotely via the
systemctl command line utility, which operates over SSH.2
.timer file must have a corresponding
.service file with the same name, e.g.,
.service files are Systemd Service unit files that are managed by the systemd system and service manager.3 Privileged timers are written to
/usr/lib/systemd/system while user level are written to
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.456 Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
|T1053.002, T1053.003, T1053.005, T1053.006, T1053.007
|TA0002, TA0003, TA0004
|12 October 2020
|27 July 2021
|Privileged Account Management
|Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.
|Restrict File and Directory Permissions
|Restrict read/write access to systemd
.timer unit files to only select privileged users who have a legitimate need to manage system services.
|User Account Management
|Limit user access to system utilities such as ‘systemctl’ or ‘systemd-run’ to users who have a legitimate need.
|Scheduled Job Creation