Systemd Timer Units

Location

Common Names

Description

Systemd timer unit files that schedule one-shot or recurring execution of services. Timers can replace cron by triggering a paired .service on boot, after a delay, or on a calendar schedule.

Forensic Value

Timers are a common modern persistence mechanism on systemd-based distributions because they blend into legitimate service management and can survive package upgrades or config management changes. The unit contents reveal the exact trigger cadence, the service they activate, and whether missed runs are replayed after downtime. Comparing timer files with recent service creation and journal events can expose delayed payload execution, miner restarts, or attacker-installed maintenance jobs that cron-only reviews would miss.

Tools Required

Collection Commands

systemctl list-timers --all > /forensics/output/systemd_timers.txt

find /etc/systemd/system /usr/lib/systemd/system /home/*/.config/systemd/user -name "*.timer" -exec cp --parents {} /forensics/output/ \; 2>/dev/null

journalctl --unit="*.timer" --since "2024-01-01" > /forensics/output/systemd_timer_journal.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Timer units are primarily relevant on systemd-based systems. Service names, drop-ins, and user-level timers vary by distribution and user profile.

MITRE ATT&CK Techniques

References