Detect Systemd Timers in Splunk
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. Each .timer file must have a corresponding .service file with the same name. Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level timers are written to ~/.config/systemd/user/. Adversaries may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence, and may leverage root-level timer paths to maintain privileged persistence.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.006 Systemd Timers
- Canonical reference
- https://attack.mitre.org/techniques/T1053/006/
SPL Detection Query
index=syslog (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="linux_syslog")
| eval msg=coalesce(message, _raw)
| eval is_timer_file_write=if(match(msg, "(\.timer|\.service)") AND match(msg, "(write|create|open|install|cp|mv|rsync)"), 1, 0)
| eval is_systemctl_timer=if(match(msg, "systemctl") AND match(msg, "\.timer") AND match(msg, "(enable|start|link|daemon-reload)"), 1, 0)
| eval is_privileged_path=if(match(msg, "(/etc/systemd/system/|/usr/lib/systemd/system/|/lib/systemd/system/)"), 1, 0)
| eval is_user_timer=if(match(msg, "\.config/systemd/user/"), 1, 0)
| eval is_suspicious_content=if(match(msg, "(/tmp/|/dev/shm/|/var/tmp/|bash -i|nc |ncat |curl |wget |python|perl|base64|chmod \\+x)"), 1, 0)
| where is_timer_file_write=1 OR is_systemctl_timer=1
| eval timer_name=if(match(msg, "[\w\-\.]+\.timer"), replace(msg, ".*([\w\-\.]+\.timer).*", "\1"), "unknown")
| eval risk_score=is_privileged_path + is_suspicious_content + is_systemctl_timer + is_timer_file_write
| eval path_type=case(is_privileged_path=1, "privileged", is_user_timer=1, "user", 1=1, "unknown")
| table _time, host, sourcetype, msg, timer_name, path_type, is_systemctl_timer, is_timer_file_write, is_privileged_path, is_suspicious_content, risk_score
| sort - _time
```
OR detect via auditd/Sysmon for Linux process execution:
```
index=linux_auditd type=EXECVE
| eval full_cmd=mvjoin(a_fields, " ")
| where match(full_cmd, "systemctl") AND match(full_cmd, "\.timer") AND match(full_cmd, "(enable|start|link)")
| rex field=full_cmd "(?P<timer_name>[\w\-\.]+\.timer)"
| eval is_privileged=if(match(full_cmd, "(/etc/systemd|/usr/lib/systemd|/lib/systemd)"), 1, 0)
| table _time, host, user, full_cmd, timer_name, is_privileged
| sort - _timeDetects systemd timer abuse using Linux syslog sources. Identifies two primary indicators: (1) file creation or modification events targeting systemd unit file paths for .timer or .service files, and (2) systemctl commands enabling or starting timer units. Assigns a risk score based on the combination of privileged path access, suspicious payload content in service definitions, and activation commands. Also includes an alternate auditd-based query for environments with Linux audit daemon logging.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate software packages (e.g., apt, dnf, snap) installing systemd timers during package updates or installation
- System administrators creating scheduled maintenance timers (log rotation, backup jobs, certificate renewal via certbot)
- Configuration management tools (Ansible, Chef, Puppet, Salt) deploying timer units as part of infrastructure automation
- Cloud-init or provisioning scripts creating timers during VM initialization or boot
Other platforms for T1053.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Enable a Privileged Systemd Timer for Persistence
Expected signal: Auditd: SYSCALL openat/write events for /etc/systemd/system/argus-test.timer and /etc/systemd/system/argus-test.service creation. Process creation events for 'systemctl daemon-reload', 'systemctl enable argus-test.timer', 'systemctl start argus-test.timer'. Syslog: systemd entries showing 'argus-test.timer' enabled and started. After 1 minute: process creation for /bin/bash /tmp/argus_payload.sh spawned with parent=systemd.
- Test 2Create User-Level Systemd Timer for Unprivileged Persistence
Expected signal: File creation events for ~/.config/systemd/user/argus-user-test.timer and ~/.config/systemd/user/argus-user-test.service. Process creation events for 'systemctl --user daemon-reload', 'systemctl --user enable', 'systemctl --user start'. User journal entries: 'journalctl --user -u argus-user-test.timer' shows activation. On calendar trigger: process creation for /bin/bash /tmp/user_payload.sh with parent process systemd (user instance).
- Test 3Deploy Systemd Timer with Base64-Encoded Payload in ExecStart
Expected signal: File creation events for /etc/systemd/system/argus-encoded-test.service and /etc/systemd/system/argus-encoded-test.timer. The service unit file content contains 'base64 -d | bash' in ExecStart — detectable via file content inspection. Syslog: systemctl enable/start events. Process creation: /bin/bash spawned by systemd with base64 decode pipe pattern visible in command line arguments.
- Test 4Simulate Remote Systemd Timer Activation via SSH
Expected signal: File creation for unit files in /etc/systemd/system/. Process creation: systemctl enable and start commands. If run via SSH: /var/log/auth.log shows SSH session from source IP, with subsequent systemctl commands in the same session. Syslog: 'argus-remote-test.timer' enabled and started entries. Auditd: EXECVE records for systemctl with timer arguments.
References (12)
- https://attack.mitre.org/techniques/T1053/006/
- https://wiki.archlinux.org/index.php/Systemd/Timers
- https://www.tecmint.com/control-systemd-services-on-remote-linux-server/
- https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
- https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
- https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
- https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300
- http://man7.org/linux/man-pages/man1/systemd.1.html
- https://www.freedesktop.org/software/systemd/man/systemd.timer.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-and-cron/
Unlock Pro Content
Get the full detection package for T1053.006 including response playbook, investigation guide, and atomic red team tests.