IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Cron Job Created or Changed by Previously Unknown Process New Systemd Service Created by Previously Unknown Process »

› ›

New Systemd Timer Created

edit

New Systemd Timer Created

edit

Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.

Rule type: new_terms

Rule indices:

logs-endpoint.events.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Linux
Threat Detection
Persistence
Elastic Endgame

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/
Sub-technique:
- Name: Systemd Timers
- ID: T1053.006
- Reference URL: https://attack.mitre.org/techniques/T1053/006/

« Cron Job Created or Changed by Previously Unknown Process New Systemd Service Created by Previously Unknown Process »