1. Home
  2. Techniques
  3. Enterprise
  4. Event Triggered Execution
  5. Udev Rules

Event Triggered Execution: Udev Rules

ID Name
T1546.001 Change Default File Association
T1546.002 Screensaver
T1546.003 Windows Management Instrumentation Event Subscription
T1546.004 Unix Shell Configuration Modification
T1546.005 Trap
T1546.006 LC_LOAD_DYLIB Addition
T1546.007 Netsh Helper DLL
T1546.008 Accessibility Features
T1546.009 AppCert DLLs
T1546.010 AppInit DLLs
T1546.011 Application Shimming
T1546.012 Image File Execution Options Injection
T1546.013 PowerShell Profile
T1546.014 Emond
T1546.015 Component Object Model Hijacking
T1546.016 Installer Packages
T1546.017 Udev Rules
T1546.018 Python Startup Hooks

Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the /dev directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with match keys to specify the conditions a hardware event must meet and action keys to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in /etc/udev/rules.d/, /run/udev/rules.d/, /usr/lib/udev/rules.d/, /usr/local/lib/udev/rules.d/, and /lib/udev/rules.d/. Rule priority is determined by both directory and by the digit prefix in the rule filename.[1][2]

Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as /dev/random, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key RUN+= to detach and run the malicious content’s process in the background to bypass these controls.[3]

ID: T1546.017
Sub-technique of:  T1546
Platforms: Linux
Contributors: @grahamhelton3; Eder Pérez Ignacio, @ch4ik0; Eduardo González Hernández (@codexlynx); Ruben Groenewoud (@RFGroenewoud); Wirapong Petshagun
Version: 1.0
Created: 26 September 2024
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1219 REPTILE

REPTILE has used udev for persistence.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0375 Detection Strategy for T1546.017 - Udev Rules (Linux) AN1056

Monitor for creation or modification of udev rules files in key directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/). Look for RUN+= or IMPORT keys invoking suspicious binaries or scripts. Correlate this with process execution from systemd-udevd context, and file writes near udev reload/restart events. Combine this with unexpected background process spawning from udevd-related forks.

References

  1. Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024.
  2. Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
  1. Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.
  2. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.