Detect Udev Rules in Google Chronicle
Adversaries may establish persistence by executing malicious content triggered by udev (userspace /dev) rules. Udev is the Linux kernel device manager that handles device events and dynamic file system creation in /dev. Udev rules files (stored at /etc/udev/rules.d/ and /lib/udev/rules.d/) define actions to execute when devices are connected or disconnected, or when other hardware events occur. Adversaries can create malicious udev rules that execute arbitrary commands — potentially as root — when specific device events occur. Since udev runs as root, any RUN directive in a udev rule executes with root privileges, providing both persistence and privilege escalation.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.017 Udev Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1546/017/
YARA-L Detection Query
rule udev_rules_persistence_t1546_017 {
meta:
author = "Argus Detection Engineering"
description = "Detects creation or modification of udev rules files by non-package-manager processes, or suspicious udevadm invocations. Adversaries may use udev rules for persistent root-level code execution (T1546.017)."
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1546.017"
severity = "HIGH"
priority = "HIGH"
events:
(
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
$e.target.file.full_path = /\/etc\/udev\/rules\.d\/.+\.rules/ or
$e.target.file.full_path = /\/lib\/udev\/rules\.d\/.+\.rules/ or
$e.target.file.full_path = /\/usr\/lib\/udev\/rules\.d\/.+\.rules/ or
$e.target.file.full_path = /\/run\/udev\/rules\.d\/.+\.rules/
) and
not $e.principal.process.file.full_path = /\/(usr\/bin|bin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef-client|salt-minion)/
)
or
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
$e.target.process.file.full_path = /\/.*udevadm/ and
(
$e.target.process.command_line = /trigger/ or
$e.target.process.command_line = /settle/ or
$e.target.process.command_line = /reload/ or
$e.target.process.command_line = /control/
) and
not $e.principal.process.file.full_path = /\/(usr\/bin|bin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|systemd|udevd)/
)
condition:
$e
}YARA-L 2.0 rule detecting creation or modification of .rules files within udev rules directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/, /run/udev/rules.d/) by processes not matching known package managers or configuration management tools. Also detects suspicious udevadm invocations (trigger, settle, reload, control) from unexpected parent processes. Udev rules run as root when device events fire, enabling stealthy persistence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate hardware driver or firmware package installation via apt, dpkg, rpm, or yum that writes udev rules as part of device support setup
- System administrators or DevOps engineers manually writing udev rules for device naming, permissions, or event-triggered automount configurations
- Configuration management automation (Ansible, Puppet, Chef, SaltStack) deploying udev rules as part of approved system configuration baselines
Other platforms for T1546.017
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Udev Rule for USB Device Persistence
Expected signal: File creation event for /etc/udev/rules.d/99-argus-test.rules. Process creation for tee and udevadm. Auditd records for file creation in /etc/udev/rules.d/. When a USB device is inserted, udevd spawns bash to execute the RUN directive — child process of udevd.
- Test 2Create Udev Rule Triggered by Network Interface
Expected signal: File creation event for 99-argus-net-test.rules in /etc/udev/rules.d/. The rule fires when a network interface is added — logger is spawned by udevd as a child process, creating a syslog entry. Systemd journal shows udevd running the RUN directive.
- Test 3Enumerate All Custom Udev Rules
Expected signal: Process creation for grep, ls with udev directory arguments. Read-only — no modifications. The output reveals all custom rules and their RUN directives.
Unlock Pro Content
Get the full detection package for T1546.017 including response playbook, investigation guide, and atomic red team tests.