T1053.006

Systemd Timers

Execution Persistence Privilege Escalation

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. Each .timer file must have a corresponding .service file with the same name. Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level timers are written to ~/.config/systemd/user/. Adversaries may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence, and may leverage root-level timer paths to maintain privileged persistence.

Microsoft Sentinel / Defender

kusto

let TimerPaths = dynamic([
  "/etc/systemd/system/",
  "/usr/lib/systemd/system/",
  "/lib/systemd/system/",
  ".config/systemd/user/"
]);
let SuspiciousServiceContent = dynamic([
  "/tmp/", "/dev/shm/", "/var/tmp/",
  "bash -i", "nc ", "ncat ", "curl ", "wget ",
  "python", "perl", "ruby",
  "base64", "chmod +x", "chmod 777"
]);
// Detect systemctl commands enabling or starting timers
let SystemctlTimerEvents = Syslog
| where TimeGenerated > ago(24h)
| where ProcessName == "systemd" or SyslogMessage has "systemctl"
| where SyslogMessage has ".timer"
| where SyslogMessage has_any ("enable", "start", "daemon-reload", "link")
| extend TimerName = extract(@"([\w\-\.]+\.timer)", 1, SyslogMessage)
| extend Action = case(
    SyslogMessage has "enable", "enabled",
    SyslogMessage has "start", "started",
    SyslogMessage has "daemon-reload", "daemon-reloaded",
    "other")
| project TimeGenerated, Computer, ProcessName, SyslogMessage, TimerName, Action;
// Detect new .timer files written to systemd directories
let TimerFileCreation = DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".timer" or FileName endswith ".service"
| where FolderPath has_any (TimerPaths)
| extend IsPrivilegedPath = FolderPath has_any ("/etc/systemd/system/", "/usr/lib/systemd/system/", "/lib/systemd/system/")
| extend IsUserTimer = FolderPath has ".config/systemd/user/"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
         InitiatingProcessCommandLine, InitiatingProcessAccountName,
         IsPrivilegedPath, IsUserTimer;
union SystemctlTimerEvents, TimerFileCreation
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Syslog

Required Tables

Syslog DeviceFileEvents

False Positives

Legitimate software packages (e.g., apt, dnf, snap) installing systemd timers during package updates or installation
System administrators creating scheduled maintenance timers (log rotation, backup jobs, certificate renewal via certbot)
Configuration management tools (Ansible, Chef, Puppet, Salt) deploying timer units as part of infrastructure automation
Cloud-init or provisioning scripts creating timers during VM initialization or boot

Splunk

spl

index=syslog (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="linux_syslog")
| eval msg=coalesce(message, _raw)
| eval is_timer_file_write=if(match(msg, "(\.timer|\.service)") AND match(msg, "(write|create|open|install|cp|mv|rsync)"), 1, 0)
| eval is_systemctl_timer=if(match(msg, "systemctl") AND match(msg, "\.timer") AND match(msg, "(enable|start|link|daemon-reload)"), 1, 0)
| eval is_privileged_path=if(match(msg, "(/etc/systemd/system/|/usr/lib/systemd/system/|/lib/systemd/system/)"), 1, 0)
| eval is_user_timer=if(match(msg, "\.config/systemd/user/"), 1, 0)
| eval is_suspicious_content=if(match(msg, "(/tmp/|/dev/shm/|/var/tmp/|bash -i|nc |ncat |curl |wget |python|perl|base64|chmod \\+x)"), 1, 0)
| where is_timer_file_write=1 OR is_systemctl_timer=1
| eval timer_name=if(match(msg, "[\w\-\.]+\.timer"), replace(msg, ".*([\w\-\.]+\.timer).*", "\1"), "unknown")
| eval risk_score=is_privileged_path + is_suspicious_content + is_systemctl_timer + is_timer_file_write
| eval path_type=case(is_privileged_path=1, "privileged", is_user_timer=1, "user", 1=1, "unknown")
| table _time, host, sourcetype, msg, timer_name, path_type, is_systemctl_timer, is_timer_file_write, is_privileged_path, is_suspicious_content, risk_score
| sort - _time

```
OR detect via auditd/Sysmon for Linux process execution:
```

index=linux_auditd type=EXECVE
| eval full_cmd=mvjoin(a_fields, " ")
| where match(full_cmd, "systemctl") AND match(full_cmd, "\.timer") AND match(full_cmd, "(enable|start|link)")
| rex field=full_cmd "(?P<timer_name>[\w\-\.]+\.timer)"
| eval is_privileged=if(match(full_cmd, "(/etc/systemd|/usr/lib/systemd|/lib/systemd)"), 1, 0)
| table _time, host, user, full_cmd, timer_name, is_privileged
| sort - _time

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Linux Audit Daemon

Required Sourcetypes

syslog linux_secure linux_auditd

False Positives

Legitimate software packages (e.g., apt, dnf, snap) installing systemd timers during package updates or installation
System administrators creating scheduled maintenance timers (log rotation, backup jobs, certificate renewal via certbot)
Configuration management tools (Ansible, Chef, Puppet, Salt) deploying timer units as part of infrastructure automation
Cloud-init or provisioning scripts creating timers during VM initialization or boot

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logSourceId) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  hostname AS "Hostname",
  UTF8(payload) AS "Raw Event",
  QIDNAME(qid) AS "Event Name",
  CASE
    WHEN UTF8(payload) ILIKE '%/etc/systemd/system/%'
      OR UTF8(payload) ILIKE '%/usr/lib/systemd/system/%'
      OR UTF8(payload) ILIKE '%/lib/systemd/system/%' THEN 'privileged'
    WHEN UTF8(payload) ILIKE '%/.config/systemd/user/%' THEN 'user'
    ELSE 'unknown'
  END AS "Path Type",
  CASE
    WHEN UTF8(payload) ILIKE '%/tmp/%'
      OR UTF8(payload) ILIKE '%/dev/shm/%'
      OR UTF8(payload) ILIKE '%/var/tmp/%'
      OR UTF8(payload) ILIKE '%base64%'
      OR UTF8(payload) ILIKE '%bash -i%'
      OR UTF8(payload) ILIKE '%curl %'
      OR UTF8(payload) ILIKE '%wget %'
      OR UTF8(payload) ILIKE '%python%'
      OR UTF8(payload) ILIKE '%perl%'
      OR UTF8(payload) ILIKE '%chmod +x%' THEN 'suspicious'
    ELSE 'normal'
  END AS "Content Risk"
FROM events
WHERE
  LOGSOURCETYPEID(logSourceId) IN (11 ,12 ,14)  -- Linux OS, Linux Syslog, Auditd
  AND (
    (
      UTF8(payload) ILIKE '%systemctl%'
      AND UTF8(payload) ILIKE '%.timer%'
      AND (
        UTF8(payload) ILIKE '%enable%'
        OR UTF8(payload) ILIKE '%start%'
        OR UTF8(payload) ILIKE '%link%'
        OR UTF8(payload) ILIKE '%daemon-reload%'
      )
    )
    OR
    (
      (
        UTF8(payload) ILIKE '%.timer%'
        OR UTF8(payload) ILIKE '%.service%'
      )
      AND (
        UTF8(payload) ILIKE '%/etc/systemd/system/%'
        OR UTF8(payload) ILIKE '%/usr/lib/systemd/system/%'
        OR UTF8(payload) ILIKE '%/lib/systemd/system/%'
        OR UTF8(payload) ILIKE '%/.config/systemd/user/%'
      )
      AND (
        UTF8(payload) ILIKE '%write%'
        OR UTF8(payload) ILIKE '%create%'
        OR UTF8(payload) ILIKE '%install%'
        OR UTF8(payload) ILIKE '%open%'
        OR UTF8(payload) ILIKE '%SYSCALL%'
      )
    )
  )
LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Linux Syslog (QRadar DSM) Linux OS auditd (QRadar DSM) IBM QRadar SIEM

Required Tables

events

False Positives

Package manager post-install scriptlets (rpm %post, debian maintainer scripts) that call systemctl enable for newly installed timer units
Infrastructure-as-code pipelines using Terraform, Ansible Tower, or similar tools that legitimately write and activate timer units as part of application deployment
Monitoring agents (Prometheus node_exporter, Datadog, etc.) that register systemd timers for periodic metric collection during agent installation

Sumo Logic CSE

sql

(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*auditd*)
| where (
    (
      message matches "*systemctl*"
      and message matches "*.timer*"
      and (
        message matches "*enable*"
        or message matches "*start*"
        or message matches "*link*"
        or message matches "*daemon-reload*"
      )
    )
    or
    (
      (message matches "*.timer*" or message matches "*.service*")
      and (
        message matches "*/etc/systemd/system/*"
        or message matches "*/usr/lib/systemd/system/*"
        or message matches "*/lib/systemd/system/*"
        or message matches "*/.config/systemd/user/*"
      )
      and (
        message matches "*write*"
        or message matches "*create*"
        or message matches "*install*"
        or message matches "*SYSCALL*"
      )
    )
  )
| parse regex field=message "(?P<timer_name>[\\w\\-\\.]+\\.timer)" nodrop
| eval is_privileged_path = if(
    message matches "*/etc/systemd*"
    or message matches "*/usr/lib/systemd*"
    or message matches "*/lib/systemd*", 1, 0)
| eval is_user_timer = if(message matches "*/.config/systemd/user/*", 1, 0)
| eval is_suspicious_content = if(
    message matches "*/tmp/*"
    or message matches "*/dev/shm/*"
    or message matches "*/var/tmp/*"
    or message matches "*bash -i*"
    or message matches "*nc *"
    or message matches "*ncat *"
    or message matches "*curl *"
    or message matches "*wget *"
    or message matches "*python*"
    or message matches "*perl*"
    or message matches "*base64*"
    or message matches "*chmod +x*"
    or message matches "*chmod 777*", 1, 0)
| eval is_systemctl_action = if(
    message matches "*systemctl*" and message matches "*.timer*", 1, 0)
| eval risk_score = is_privileged_path + is_suspicious_content + is_systemctl_action + is_user_timer
| eval path_type = if(is_privileged_path = 1, "privileged", if(is_user_timer = 1, "user", "unknown"))
| fields _messageTime, _sourceHost, _source, timer_name, path_type, is_privileged_path, is_user_timer, is_suspicious_content, is_systemctl_action, risk_score, message
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Linux syslog) Sumo Logic Auditd Source Linux Syslog (rsyslog/syslog-ng)

Required Tables

_sourceCategory=*linux* _sourceCategory=*syslog* _sourceCategory=*auditd*

False Positives

OS boot initialization sequences that enable standard system timers such as systemd-tmpfiles-clean.timer, man-db.timer, and logrotate.timer on first startup
Automated patching workflows (unattended-upgrades, yum-cron) that write updated timer unit files to /usr/lib/systemd/system/ as part of package updates
Container runtimes or systemd-nspawn instances where user-level timers are legitimately created under .config/systemd/user/ for application scheduling within isolated namespaces

Google Chronicle / SecOps

yaral

rule systemd_timer_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of systemd timers for persistence (MITRE ATT&CK T1053.006). Matches systemctl commands enabling, starting, or linking .timer units and file creation or modification events targeting privileged system-level or user-level systemd unit directories."
    severity = "HIGH"
    tactic = "Persistence"
    technique = "T1053.006"
    reference = "https://attack.mitre.org/techniques/T1053/006/"
    created = "2026-04-16"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex(
        $e.target.process.command_line,
        `systemctl.+\.timer.*(enable|start|link|daemon-reload)`
      )
    )
    or
    (
      (
        $e.metadata.event_type = "FILE_CREATION"
        or $e.metadata.event_type = "FILE_MODIFICATION"
      )
      and (
        re.regex(
          $e.target.file.full_path,
          `/(etc|usr/lib|lib)/systemd/system/[^/]+\.(timer|service)$`
        )
        or re.regex(
          $e.target.file.full_path,
          `\.config/systemd/user/[^/]+\.(timer|service)$`
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Linux OS via Chronicle Forwarder Linux Auditd via Chronicle Ingestion API

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (FILE_CREATION) UDM Events (FILE_MODIFICATION)

False Positives

Package manager scriptlets executed by apt, yum, or dnf that call systemctl enable on newly installed timer units targeting /usr/lib/systemd/system/
Configuration management platforms such as Ansible AWX or SaltStack writing timer unit files to systemd directories during scheduled fleet provisioning or configuration drift remediation
System updates replacing existing /usr/lib/systemd/system/*.timer files for built-in services like apt-daily.timer, fwupd-refresh.timer, or motd-news.timer

CrowdStrike LogScale (CQL)

cql

// Detect systemctl commands operating on .timer units OR .timer/.service file writes
#event_simpleName = /^(ProcessRollup2|NewExecutableWritten|SuspiciousScriptContent)$/

// Branch: systemctl timer management
| case {
    #event_simpleName = "ProcessRollup2"
    and ImageFileName = /systemctl/
    and CommandLine = /\.timer.*(enable|start|link|daemon-reload)/
    => eval(detection_type := "systemctl_timer_action");

    #event_simpleName = "NewExecutableWritten"
    and TargetFileName = /\.(timer|service)$/
    and TargetDirectoryName = /(\/(etc|usr\/lib|lib)\/systemd\/system|\.config\/systemd\/user)/
    => eval(detection_type := "timer_file_write");

    * => drop()
  }

// Extract timer name from command line or file name
| eval(
    timer_name := ifnull(
      regex("([\\w\\-\\.]+\\.timer)", field=TargetFileName, flags="i"),
      regex("([\\w\\-\\.]+\\.timer)", field=CommandLine, flags="i")
    )
  )

// Classify path privilege level
| eval(
    is_privileged := if(
      CommandLine =~ /(\/(etc|usr\/lib|lib)\/systemd\/system)/
      or TargetDirectoryName =~ /(\/(etc|usr\/lib|lib)\/systemd\/system)/,
      "true", "false"
    )
  )

// Flag suspicious payload indicators
| eval(
    is_suspicious := if(
      CommandLine =~ /(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|bash -i|base64|chmod \+x|wget |curl |python|perl|nc |ncat )/,
      "true", "false"
    )
  )

| groupBy(
    [ComputerName, UserName, detection_type, timer_name, is_privileged, is_suspicious],
    function=[
      count(as=event_count),
      collect(CommandLine, limit=5),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| sort(event_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux) Falcon Insight XDR CrowdStrike LogScale

Required Tables

ProcessRollup2 NewExecutableWritten

False Positives

Software deployment pipelines on Falcon-monitored Linux hosts that install application packages bundling their own systemd timer units (e.g., Prometheus exporters, backup agents, certificate renewal tools)
System administrators running systemctl enable/start commands for legitimate timer units during server provisioning or service restoration after maintenance windows
Automated OS patching tools (unattended-upgrades, yum-cron) that write updated timer files to /usr/lib/systemd/system/ as part of package upgrade operations

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002At T1053.003Cron T1053.005Scheduled Task T1053.007Container Orchestration Job

Systemd Timers

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections