T1053.006 IBM QRadar · QRadar

Detect Systemd Timers in IBM QRadar

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. Each .timer file must have a corresponding .service file with the same name. Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level timers are written to ~/.config/systemd/user/. Adversaries may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence, and may leverage root-level timer paths to maintain privileged persistence.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.006 Systemd Timers
Canonical reference
https://attack.mitre.org/techniques/T1053/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logSourceId) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  hostname AS "Hostname",
  UTF8(payload) AS "Raw Event",
  QIDNAME(qid) AS "Event Name",
  CASE
    WHEN UTF8(payload) ILIKE '%/etc/systemd/system/%'
      OR UTF8(payload) ILIKE '%/usr/lib/systemd/system/%'
      OR UTF8(payload) ILIKE '%/lib/systemd/system/%' THEN 'privileged'
    WHEN UTF8(payload) ILIKE '%/.config/systemd/user/%' THEN 'user'
    ELSE 'unknown'
  END AS "Path Type",
  CASE
    WHEN UTF8(payload) ILIKE '%/tmp/%'
      OR UTF8(payload) ILIKE '%/dev/shm/%'
      OR UTF8(payload) ILIKE '%/var/tmp/%'
      OR UTF8(payload) ILIKE '%base64%'
      OR UTF8(payload) ILIKE '%bash -i%'
      OR UTF8(payload) ILIKE '%curl %'
      OR UTF8(payload) ILIKE '%wget %'
      OR UTF8(payload) ILIKE '%python%'
      OR UTF8(payload) ILIKE '%perl%'
      OR UTF8(payload) ILIKE '%chmod +x%' THEN 'suspicious'
    ELSE 'normal'
  END AS "Content Risk"
FROM events
WHERE
  LOGSOURCETYPEID(logSourceId) IN (11 ,12 ,14)  -- Linux OS, Linux Syslog, Auditd
  AND (
    (
      UTF8(payload) ILIKE '%systemctl%'
      AND UTF8(payload) ILIKE '%.timer%'
      AND (
        UTF8(payload) ILIKE '%enable%'
        OR UTF8(payload) ILIKE '%start%'
        OR UTF8(payload) ILIKE '%link%'
        OR UTF8(payload) ILIKE '%daemon-reload%'
      )
    )
    OR
    (
      (
        UTF8(payload) ILIKE '%.timer%'
        OR UTF8(payload) ILIKE '%.service%'
      )
      AND (
        UTF8(payload) ILIKE '%/etc/systemd/system/%'
        OR UTF8(payload) ILIKE '%/usr/lib/systemd/system/%'
        OR UTF8(payload) ILIKE '%/lib/systemd/system/%'
        OR UTF8(payload) ILIKE '%/.config/systemd/user/%'
      )
      AND (
        UTF8(payload) ILIKE '%write%'
        OR UTF8(payload) ILIKE '%create%'
        OR UTF8(payload) ILIKE '%install%'
        OR UTF8(payload) ILIKE '%open%'
        OR UTF8(payload) ILIKE '%SYSCALL%'
      )
    )
  )
LAST 24 HOURS
ORDER BY devicetime DESC
high severity medium confidence

QRadar AQL query detecting systemd timer persistence via Linux syslog and auditd log sources. Identifies systemctl commands acting on .timer units (enable/start/link/daemon-reload) and file creation events in privileged or user-level systemd directories, with inline risk classification by path type and suspicious content patterns.

Data Sources

Linux Syslog (QRadar DSM)Linux OS auditd (QRadar DSM)IBM QRadar SIEM

Required Tables

events

False Positives & Tuning

  • Package manager post-install scriptlets (rpm %post, debian maintainer scripts) that call systemctl enable for newly installed timer units
  • Infrastructure-as-code pipelines using Terraform, Ansible Tower, or similar tools that legitimately write and activate timer units as part of application deployment
  • Monitoring agents (Prometheus node_exporter, Datadog, etc.) that register systemd timers for periodic metric collection during agent installation
Download portable Sigma rule (.yml)

Other platforms for T1053.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Enable a Privileged Systemd Timer for Persistence

    Expected signal: Auditd: SYSCALL openat/write events for /etc/systemd/system/argus-test.timer and /etc/systemd/system/argus-test.service creation. Process creation events for 'systemctl daemon-reload', 'systemctl enable argus-test.timer', 'systemctl start argus-test.timer'. Syslog: systemd entries showing 'argus-test.timer' enabled and started. After 1 minute: process creation for /bin/bash /tmp/argus_payload.sh spawned with parent=systemd.

  2. Test 2Create User-Level Systemd Timer for Unprivileged Persistence

    Expected signal: File creation events for ~/.config/systemd/user/argus-user-test.timer and ~/.config/systemd/user/argus-user-test.service. Process creation events for 'systemctl --user daemon-reload', 'systemctl --user enable', 'systemctl --user start'. User journal entries: 'journalctl --user -u argus-user-test.timer' shows activation. On calendar trigger: process creation for /bin/bash /tmp/user_payload.sh with parent process systemd (user instance).

  3. Test 3Deploy Systemd Timer with Base64-Encoded Payload in ExecStart

    Expected signal: File creation events for /etc/systemd/system/argus-encoded-test.service and /etc/systemd/system/argus-encoded-test.timer. The service unit file content contains 'base64 -d | bash' in ExecStart — detectable via file content inspection. Syslog: systemctl enable/start events. Process creation: /bin/bash spawned by systemd with base64 decode pipe pattern visible in command line arguments.

  4. Test 4Simulate Remote Systemd Timer Activation via SSH

    Expected signal: File creation for unit files in /etc/systemd/system/. Process creation: systemctl enable and start commands. If run via SSH: /var/log/auth.log shows SSH session from source IP, with subsequent systemctl commands in the same session. Syslog: 'argus-remote-test.timer' enabled and started entries. Auditd: EXECVE records for systemctl with timer arguments.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1053.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.005Scheduled TaskT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.003CronT1543.002Systemd ServiceT1059.004Unix ShellT1105Ingress Tool TransferT1021.004SSHT1036.005Match Legitimate Resource Name or LocationT1222.002Linux and Mac File and Directory Permissions ModificationT1027Obfuscated Files or Information

Same Tactic: Execution

Popular Detections