Event Triggered Execution: Udev Rules

Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the /dev directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with match keys to specify the conditions a hardware event must meet and action keys to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in /etc/udev/rules.d/, /run/udev/rules.d/, /usr/lib/udev/rules.d/, /usr/local/lib/udev/rules.d/, and /lib/udev/rules.d/. Rule priority is determined by both directory and by the digit prefix in the rule filename.[1][2]

Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as /dev/random, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key RUN+= to detach and run the malicious content’s process in the background to bypass these controls.[3]

ID: T1546.017
Sub-technique of:  T1546
Platforms: Linux
Contributors: @grahamhelton3; Eder Pérez Ignacio, @ch4ik0; Eduardo González Hernández (@codexlynx); Ruben Groenewoud, Elastic; Wirapong Petshagun
Version: 1.0
Created: 26 September 2024
Last Modified: 11 November 2024

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0022 File File Modification

Monitor the creation and modification of files in the directories where udev rules are located: /etc/udev/rules.d/, /run/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/, and /usr/local/lib/udev/rules.d/. Analyze and monitor changes to RUN assignment key.[1][2]

DS0009 Process Process Creation

Monitor the creation of new processes that are children of systemd-udevd.service at the process tree level.[1]

References