title: Systemd Timers (T1053.006)
id: df00tech-t1053-006
status: experimental
description: "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. Each .timer file must have a corresponding .service file with the same name. Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level timers are written to ~/.config/systemd/user/. Adversaries may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence, and may leverage root-level timer paths to maintain privileged persistence."
references:
  - https://attack.mitre.org/techniques/T1053/006/
  - https://df00tech.com/detections/T1053.006
author: df00tech
date: 2026/04/16
tags:
  - attack.t1053.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software packages (e.g., apt, dnf, snap) installing systemd timers during package updates or installation"
  - "System administrators creating scheduled maintenance timers (log rotation, backup jobs, certificate renewal via certbot)"
  - "Configuration management tools (Ansible, Chef, Puppet, Salt) deploying timer units as part of infrastructure automation"
  - Cloud-init or provisioning scripts creating timers during VM initialization or boot
level: high