Systemd Timers

Systemd Timers [T1053.006]

Information

Name: Systemd Timers
ID: T1053.006
Tactics: , ,
Technique:

Introduction

Systemd Timers (T1053.006) is a sub-technique under the Scheduled Task/Job technique (T1053) within the MITRE ATT&CK framework. It involves adversaries leveraging systemd timer units, a Linux-based scheduling mechanism, to execute malicious scripts or binaries at predetermined intervals or specific times. Systemd timers are similar in functionality to cron jobs but offer enhanced flexibility, reliability, and logging capabilities, making them an attractive option for attackers seeking persistence, execution, or privilege escalation on compromised Linux systems.

Deep Dive Into Technique

Systemd timers are used to schedule tasks using two primary components: timer units (.timer) and service units (.service). Attackers typically use these components in combination to achieve persistent execution of malicious payloads.

Technical Execution Details

Timer unit files (.timer) define the schedule or event that triggers execution. These files specify time-based triggers (e.g., daily, weekly, monthly) or events (e.g., boot completion, idle state).
Service unit files (.service) define the actual command, script, or binary to execute when triggered by the timer unit.

Common file locations attackers leverage

/etc/systemd/system/: Global systemd configuration directory, requiring root privileges.
~/.config/systemd/user/: User-specific timers and services, not requiring root privileges.

Typical commands attackers use

Creating malicious timer and service unit files:

vim ~/.config/systemd/user/malicious.timer
vim ~/.config/systemd/user/malicious.service

Enabling and starting timer units:

systemctl --user enable malicious.timer
systemctl --user start malicious.timer

Checking timer status:
```
systemctl --user list-timers
```

Key attributes attackers exploit

Persistent execution: Timers can ensure the malicious payload executes regularly, surviving reboots and system updates.
Stealth: Timers can be named deceptively similar to legitimate systemd timers, complicating detection.
Logging: Systemd timers provide integrated logging, which attackers may manipulate or clear to obscure their activities.

When this Technique is Usually Used

Attackers typically utilize Systemd Timers at various stages of the cyber kill chain, primarily to establish persistence and maintain long-term access to compromised systems. Common scenarios and stages include:

Persistence: Attackers frequently leverage systemd timers to maintain a foothold, ensuring their payload executes at regular intervals or at boot time.
Execution: Timers provide attackers with scheduled execution capabilities, allowing periodic data exfiltration, command-and-control beaconing, or lateral movement within the compromised environment.
Privilege Escalation: If attackers have access to privileged accounts, they may create or modify system-wide timer units to execute malicious commands with elevated privileges.
Defense Evasion: Systemd timers can be named similarly to legitimate services, enabling attackers to blend in with normal system operations and evade detection.

How this Technique is Usually Detected

Detection of malicious Systemd Timers involves monitoring, analyzing, and auditing specific system activities, files, and behaviors. Common detection methods include:

File Integrity Monitoring (FIM): Detecting unauthorized creation or modification of .timer and .service files, especially in system-wide directories (/etc/systemd/system/) or unexpected user directories (~/.config/systemd/user/).
Systemd Logs and Auditing: Reviewing systemd logs (journalctl) for suspicious timer execution, unexpected job failures, or unusual scheduling patterns.
```
journalctl -u suspicious.service
journalctl --user-unit suspicious.service
```
Real-time Monitoring Tools: Deploying endpoint detection and response (EDR) solutions, Security Information and Event Management (SIEM) systems, or Linux auditing tools (auditd) to monitor and alert on suspicious timer creation and execution.
Command Execution Monitoring: Auditing commands such as systemctl enable, systemctl start, or systemctl list-timers executed by unauthorized or unexpected users.
Behavioral Analysis: Identifying abnormal timer schedules (e.g., timers triggering execution at unusual intervals or times) or unusual system load patterns.

Indicators of Compromise (IoCs)

Unexpected .timer and .service files in system or user directories.
Suspicious timer names mimicking legitimate systemd timers.
Unusual periodic network connections or data transfers correlating with timer execution intervals.
Unexplained cron-like behavior without corresponding cron jobs.

Why it is Important to Detect This Technique

Early detection of malicious Systemd Timers is critical due to their potential impacts on system security, stability, and confidentiality. Key reasons include:

Persistence and Long-term Access: Undetected timers allow attackers prolonged access to compromised systems, facilitating further malicious activities such as lateral movement, data exfiltration, or privilege escalation.
Data Exfiltration and Espionage: Timers can be employed to periodically exfiltrate sensitive data or intellectual property, potentially causing significant financial and reputational damage.
Resource Abuse: Attackers can leverage scheduled tasks to abuse system resources (e.g., cryptomining, denial-of-service attacks), negatively impacting system performance and availability.
Stealth and Evasion: Attackers may disguise timers as legitimate system tasks, complicating detection and forensic analysis. Early detection helps security teams mitigate these risks and prevent further compromise.

Examples

Real-world examples of attackers utilizing Systemd Timers include:

Rocke Group Cryptomining Campaign:
- Scenario: The Rocke threat group deployed cryptomining malware on compromised Linux servers using systemd timers to maintain persistence and ensure continuous mining operations.
- Tools Used:
  - Malicious .timer and .service unit files for scheduled execution.
  - Monero cryptocurrency mining binaries.
- Impact: Resource exhaustion, increased energy costs, reduced system performance, and potential damage to hardware.
Skidmap Linux Malware:
- Scenario: Skidmap malware leveraged systemd timers to periodically execute malicious kernel modules and rootkits, maintaining stealthy persistence and evading traditional detection mechanisms.
- Tools Used:
  - Malicious systemd timer units combined with rootkits and kernel-level backdoors.
- Impact: Persistent root-level access, data theft, compromised system integrity, and significant detection difficulties.
TeamTNT Malware Campaign:
- Scenario: TeamTNT malware operators utilized systemd timers to periodically execute scripts that scanned cloud environments for exposed Docker APIs and Kubernetes clusters, enabling lateral movement and further compromise.
- Tools Used:
  - Bash scripts scheduled via systemd timers.
  - Network scanning utilities.
- Impact: Unauthorized access to cloud infrastructure, lateral movement, potential data breaches, and unauthorized cryptomining activities.

Last updated 1 month ago