[New Rule] Name of rule: Suspicious Systemd Timer Creation for Persistence

[litemars]

Description

Detects creation of systemd timer files in suspicious contexts that may indicate persistence establishment.

Target Ruleset

linux

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

9.2.0

Query

file where host.os.type == "linux" and event.type == "creation" and

/* Detect .timer file creation /
file.extension == "timer" and
file.path : ("/etc/systemd/system/.timer",
"/lib/systemd/system/.timer",
"/usr/lib/systemd/system/.timer",
"/home//.config/systemd/user/.timer",
"/root/.config/systemd/user/*.timer") and

/* Created by suspicious processes */
(
process.name in ("bash", "sh", "dash", "zsh", "fish", "python", "python3", "perl", "ruby") or
process.name in ("curl", "wget", "nc", "ncat", "socat") or
process.parent.name in ("bash", "sh", "curl", "wget")
) and

/* Exclude package managers */
not process.parent.name in ("dpkg", "apt", "apt-get", "yum", "dnf", "zypper", "rpm") and
not process.name in ("dpkg", "apt", "yum", "dnf")

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[Aegrah]

Hi @litemars, I am curious, did you take a look at our rule for systemd timer creations? https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_scheduled_timer_created.toml

Query:

file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
  "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*",
  "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/usr/lib/systemd/user/*",
  "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*"
) and file.extension == "timer"

If this suffices, feel free to close out the issue.