T1053.006 Systemd Timers

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over SSH.(Citation: Systemd Remote Control)

Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are Systemd Service unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1053.006 Systemd Timers
Comments
This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication.
References
    DE.CM-03.03 Privileged account monitoring Mitigates T1053.006 Systemd Timers
    Comments
    This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
    References
      PR.AA-01.01 Identity and credential management Mitigates T1053.006 Systemd Timers
      Comments
      This diagnostic statement protects against Systemd Timers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1053.006 Systemd Timers
        CM-06 Configuration Settings mitigates T1053.006 Systemd Timers
        CM-05 Access Restrictions for Change mitigates T1053.006 Systemd Timers
        SI-07 Software, Firmware, and Information Integrity mitigates T1053.006 Systemd Timers
        IA-02 Identification and Authentication (Organizational Users) mitigates T1053.006 Systemd Timers
        SI-04 System Monitoring mitigates T1053.006 Systemd Timers
        AC-02 Account Management mitigates T1053.006 Systemd Timers
        AC-03 Access Enforcement mitigates T1053.006 Systemd Timers
        AC-05 Separation of Duties mitigates T1053.006 Systemd Timers
        AC-06 Least Privilege mitigates T1053.006 Systemd Timers

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.006 Systemd Timers

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1053.006 Systemd Timers
        Comments
        This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
        References
        ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1053.006 Systemd Timers
        Comments
        This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
        References

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        amazon_inspector Amazon Inspector technique_scores T1053.006 Systemd Timers
        Comments
        The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
        References