Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21)
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer
that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl
command line utility, which operates over SSH.(Citation: Systemd Remote Control)
Each .timer
file must have a corresponding .service
file with the same name, e.g., example.timer
and example.service
. .service
files are Systemd Service unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/
and /usr/lib/systemd/system
while user level are written to ~/.config/systemd/user/
.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) | Attack Pattern | Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) | Attack Pattern | 1 |