AN0645: Analytic 0645
Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by 'systemd' (PID 1), especially as root.
Analyst context for executives and security teams
This analytic matters because systemd timers can turn a Linux server’s normal scheduling mechanism into a persistence path. For leaders, the key question is not simply whether systemd exists, but whether the organization can prove it notices suspicious timer/service unit changes and unusual processes started by PID 1, especially with root privileges.
Executive priority
Prioritize this where Linux systems support business-critical applications, administrative infrastructure, or regulated workloads. The decision value is resilience and evidence: security leaders should confirm that file integrity, process telemetry, and SOC procedures can distinguish authorized operational automation from suspicious persistence using systemd timers. This also supports incident response readiness by helping teams identify when a Linux host may require deeper containment and persistence review.
Technical view
For Linux environments, validate correlation between creation or modification of .timer and .service unit files in system directories and subsequent abnormal child processes launched by systemd as PID 1, particularly when running as root. Because no ATT&CK tactic or detailed detection logic is supplied, teams should treat this as a detection validation objective rather than a complete rule. Baseline expected systemd-managed services and timers, then review deviations involving new or modified unit files and unexpected process ancestry from systemd.
Likely telemetry
- Linux file creation and modification events for .timer and .service unit files in system directories
- Process execution telemetry showing parent process, child process, PID, and user context
- Evidence that systemd is PID 1 for the observed process chain
- Root or privileged execution context for processes launched by systemd
- Host inventory or baseline data for expected systemd timers and services
Detection direction
- Confirm that Linux endpoint or audit telemetry captures both unit-file changes and process ancestry; either source alone may be insufficient.
- Correlate unit-file creation/modification with later systemd-launched child processes rather than alerting only on file writes.
- Tune against known administrative automation, package installation, and legitimate service deployment workflows to reduce false positives.
- Pay attention to abnormal child processes launched by systemd as PID 1, especially as root, while requiring local baselines to define what is abnormal.
- Review visibility gaps on minimally monitored Linux servers, ephemeral workloads, or systems where file auditing is not enabled for system directories.
Mitigation priorities
- Establish ownership and change-control expectations for systemd timer and service unit files on Linux systems.
- Limit privileged administrative access that can create or modify system-level unit files.
- Maintain baselines of approved timers and services for critical Linux hosts.
- Ensure incident response playbooks include review of systemd timers, associated service units, and systemd-spawned process history during Linux persistence investigations.
- Use compliance or audit evidence to demonstrate monitoring of privileged service configuration changes where required.
Analyst notes and limits
The supplied object is a detection analytic for Linux focused on adversarial abuse of systemd timers. It provides a useful correlation concept but no detailed official detection logic, no ATT&CK tactic mapping, and no relationship context. Practical implementation requires local knowledge of expected systemd activity and administrative workflows.
This take is based only on the supplied STIX fields, MITRE external reference, and stated description. No active exploitation, attribution, impact, or guaranteed coverage is implied. Detection quality depends on local Linux telemetry, file auditing scope, process lineage fidelity, and baseline accuracy.
Analytic 0645
Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by 'systemd' (PID 1), especially as root.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 89ff7358836a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0645Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.