T1053.006 Systemd Timers

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)

Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are Systemd Service unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1053.006 Systemd Timers
AC-3 Access Enforcement Protects T1053.006 Systemd Timers
AC-5 Separation of Duties Protects T1053.006 Systemd Timers
AC-6 Least Privilege Protects T1053.006 Systemd Timers
CA-7 Continuous Monitoring Protects T1053.006 Systemd Timers
CM-5 Access Restrictions for Change Protects T1053.006 Systemd Timers
CM-6 Configuration Settings Protects T1053.006 Systemd Timers
IA-2 Identification and Authentication (organizational Users) Protects T1053.006 Systemd Timers
SI-4 System Monitoring Protects T1053.006 Systemd Timers
SI-7 Software, Firmware, and Information Integrity Protects T1053.006 Systemd Timers

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1053.006 Systemd Timers
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
    file_integrity_monitoring File Integrity Monitoring technique_scores T1053.006 Systemd Timers
    Comments
    This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
    References