Udev Rules

DeviceFileEvents
| where Timestamp > ago(24h)
| where (
    FolderPath has "/etc/udev/rules.d/"
    or FolderPath has "/lib/udev/rules.d/"
    or FolderPath has "/usr/lib/udev/rules.d/"
    or FolderPath has "/run/udev/rules.d/"
  )
| where ActionType in ("FileCreated", "FileModified")
| extend FileName_lc = tolower(FileName)
| extend IsRulesFile = FileName endswith ".rules"
| extend IsEtcRules = FolderPath has "/etc/udev/rules.d/"
| extend SuspiciousWriter = InitiatingProcessFileName !in~ (
    "apt", "dpkg", "rpm", "yum", "dnf", "zypper",
    "ansible", "puppet", "chef", "salt-minion"
  )
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
         IsRulesFile, IsEtcRules, SuspiciousWriter,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| where IsRulesFile
| sort by Timestamp desc

index=syslog (sourcetype=linux_secure OR sourcetype=syslog)
| eval IsUdevRulesWrite=if(
    match(_raw, "(/etc/udev/rules\.d/|/lib/udev/rules\.d/|/usr/lib/udev/rules\.d/)")
    AND match(_raw, "\.rules")
    AND match(_raw, "(wrote|write|create|WRITE|CREATE|open.*O_CREAT|open.*WRONLY)"),
    1, 0
  )
| eval IsUdevExec=if(
    match(_raw, "udevadm") AND match(_raw, "(trigger|settle|reload|control)"),
    1, 0
  )
| eval SuspiciousWriter=if(
    IsUdevRulesWrite=1
    AND NOT match(_raw, "(apt|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef|salt)"),
    1, 0
  )
| where IsUdevRulesWrite=1 OR (IsUdevExec=1 AND SuspiciousWriter=1)
| table _time, host, user, _raw, IsUdevRulesWrite, IsUdevExec, SuspiciousWriter
| sort - _time

any where (
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    (
      file.path like "/etc/udev/rules.d/*" or
      file.path like "/lib/udev/rules.d/*" or
      file.path like "/usr/lib/udev/rules.d/*" or
      file.path like "/run/udev/rules.d/*"
    ) and
    file.name like "*.rules" and
    not process.name in ("apt", "dpkg", "rpm", "yum", "dnf", "zypper", "ansible", "puppet", "chef", "salt-minion")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name == "udevadm" and
    process.args in ("trigger", "settle", "reload", "control") and
    not process.parent.name in ("apt", "dpkg", "rpm", "yum", "dnf", "zypper", "systemd", "udev")
  )
)

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "FILE_PATH",
  "FILE_NAME",
  "PROCESS_NAME",
  "COMMAND",
  CASE
    WHEN "FILE_PATH" IMATCHES '.*/(etc|lib|usr/lib|run)/udev/rules\.d/.*\.rules.*'
     AND "PROCESS_NAME" NOT IMATCHES '.*(apt|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef|salt).*'
    THEN 'Suspicious udev rules write'
    WHEN "COMMAND" IMATCHES '.*udevadm.*(trigger|settle|reload|control).*'
     AND "PROCESS_NAME" NOT IMATCHES '.*(apt|dpkg|rpm|yum|dnf|zypper|systemd|udev).*'
    THEN 'Suspicious udevadm execution'
    ELSE 'Unknown'
  END AS detection_reason
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM logsourcetypes WHERE name ILIKE '%linux%' OR name ILIKE '%syslog%' OR name ILIKE '%auditd%'
  )
  AND starttime > NOW() - 86400000
  AND (
    (
      "FILE_PATH" IMATCHES '.*/(etc|lib|usr/lib|run)/udev/rules\.d/.*'
      AND "FILE_NAME" IMATCHES '.*\.rules'
      AND "COMMAND" IMATCHES '.*(wrote|write|create|WRITE|CREATE|open.*O_CREAT|open.*WRONLY).*'
      AND "PROCESS_NAME" NOT IMATCHES '.*(apt|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef|salt).*'
    )
    OR
    (
      "COMMAND" IMATCHES '.*udevadm.*(trigger|settle|reload|control).*'
      AND "PROCESS_NAME" NOT IMATCHES '.*(apt|dpkg|rpm|yum|dnf|zypper|systemd|udev).*'
    )
  )
ORDER BY starttime DESC

_sourceCategory=linux* OR _sourceCategory=syslog* OR _sourceCategory=auditd*
| parse regex "(?<file_path>/(?:etc|lib|usr/lib|run)/udev/rules\.d/[^\s]+\.rules)" nodrop
| parse regex "(?<process_name>\b(?:apt|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef|salt-minion|systemd|udevd)\b)" as package_manager nodrop
| parse regex "(?<udevadm_cmd>udevadm\s+(?:trigger|settle|reload|control)[^\n]*)" nodrop
| eval is_udev_rules_write = if (!isNull(file_path) AND ((_raw matches /write|wrote|create|WRITE|CREATE|O_CREAT|WRONLY/)), 1, 0)
| eval is_udev_exec = if (!isNull(udevadm_cmd), 1, 0)
| eval is_package_manager = if (!isNull(package_manager), 1, 0)
| eval suspicious_write = if (is_udev_rules_write == 1 AND is_package_manager == 0, 1, 0)
| eval suspicious_exec = if (is_udev_exec == 1 AND is_package_manager == 0, 1, 0)
| where suspicious_write == 1 OR suspicious_exec == 1
| eval detection_type = if (suspicious_write == 1, "Udev Rules File Write", "Suspicious udevadm Execution")
| fields _messageTime, _sourceHost, _sourceCategory, file_path, udevadm_cmd, detection_type, suspicious_write, suspicious_exec
| sort by _messageTime desc

rule udev_rules_persistence_t1546_017 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of udev rules files by non-package-manager processes, or suspicious udevadm invocations. Adversaries may use udev rules for persistent root-level code execution (T1546.017)."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1546.017"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      (
        $e.metadata.event_type = "FILE_CREATION" or
        $e.metadata.event_type = "FILE_MODIFICATION"
      ) and
      (
        $e.target.file.full_path = /\/etc\/udev\/rules\.d\/.+\.rules/ or
        $e.target.file.full_path = /\/lib\/udev\/rules\.d\/.+\.rules/ or
        $e.target.file.full_path = /\/usr\/lib\/udev\/rules\.d\/.+\.rules/ or
        $e.target.file.full_path = /\/run\/udev\/rules\.d\/.+\.rules/
      ) and
      not $e.principal.process.file.full_path = /\/(usr\/bin|bin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef-client|salt-minion)/
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      $e.target.process.file.full_path = /\/.*udevadm/ and
      (
        $e.target.process.command_line = /trigger/ or
        $e.target.process.command_line = /settle/ or
        $e.target.process.command_line = /reload/ or
        $e.target.process.command_line = /control/
      ) and
      not $e.principal.process.file.full_path = /\/(usr\/bin|bin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|systemd|udevd)/
    )

  condition:
    $e
}

// Detect suspicious writes to udev rules directories
(
  #event_simpleName = "PeFileWritten" OR #event_simpleName = "SuspiciousFileWrite"
)
| TargetFileName = /\.(rules)$/
| TargetDirectory = /\/(etc|lib|usr\/lib|run)\/udev\/rules\.d\//
| ImageFileName != /\/(usr\/)?(bin|sbin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef-client|salt-minion)/
| table([aid, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, TargetDirectory, @timestamp])

// Union: detect suspicious udevadm invocations
| union
(
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /\/udevadm$/
  | CommandLine = /(trigger|settle|reload|control)/
  | ParentBaseFileName != /(apt|apt-get|dpkg|rpm|yum|dnf|zypper|systemd|udevd|udev)/
  | table([aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, @timestamp])
)
| sort(@timestamp, order=desc)