Description
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.(Citation: Systemd Remote Control)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are Systemd Service unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
Platforms
Mitigations (3)
Restrict File and Directory PermissionsM1022
Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.
User Account ManagementM1018
Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.
Privileged Account ManagementM1026
Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.
References
- Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.
- archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.
- Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.
- Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.
- Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.
- Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.
- Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.
Frequently Asked Questions
What is T1053.006 (Systemd Timers)?
T1053.006 is a MITRE ATT&CK technique named 'Systemd Timers'. It belongs to the Execution, Persistence, Privilege Escalation tactic(s). Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control...
How can T1053.006 be detected?
Detection of T1053.006 (Systemd Timers) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1053.006?
There are 3 documented mitigations for T1053.006. Key mitigations include: Restrict File and Directory Permissions, User Account Management, Privileged Account Management.
Which threat groups use T1053.006?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.