Detect Udev Rules in Elastic Security
Adversaries may establish persistence by executing malicious content triggered by udev (userspace /dev) rules. Udev is the Linux kernel device manager that handles device events and dynamic file system creation in /dev. Udev rules files (stored at /etc/udev/rules.d/ and /lib/udev/rules.d/) define actions to execute when devices are connected or disconnected, or when other hardware events occur. Adversaries can create malicious udev rules that execute arbitrary commands — potentially as root — when specific device events occur. Since udev runs as root, any RUN directive in a udev rule executes with root privileges, providing both persistence and privilege escalation.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.017 Udev Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1546/017/
Elastic Detection Query
any where (
(
event.category == "file" and
event.type in ("creation", "change") and
(
file.path like "/etc/udev/rules.d/*" or
file.path like "/lib/udev/rules.d/*" or
file.path like "/usr/lib/udev/rules.d/*" or
file.path like "/run/udev/rules.d/*"
) and
file.name like "*.rules" and
not process.name in ("apt", "dpkg", "rpm", "yum", "dnf", "zypper", "ansible", "puppet", "chef", "salt-minion")
) or
(
event.category == "process" and
event.type == "start" and
process.name == "udevadm" and
process.args in ("trigger", "settle", "reload", "control") and
not process.parent.name in ("apt", "dpkg", "rpm", "yum", "dnf", "zypper", "systemd", "udev")
)
)Detects suspicious creation or modification of udev rules files in /etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/, or /run/udev/rules.d/ by non-package-manager processes, or suspicious udevadm invocations (trigger/settle/reload) from unexpected parent processes. Udev rules execute as root when device events fire, enabling persistent root-level code execution.
Data Sources
Required Tables
False Positives & Tuning
- System administrators manually creating or editing udev rules for legitimate device management (e.g., USB permissions, network interface renaming, udev-based automount rules)
- Package managers (apt, dpkg, rpm, yum, dnf) installing hardware support packages that include udev rules (e.g., libusb, udev-extras, firmware packages)
- Configuration management tools (Ansible, Puppet, Chef, SaltStack) deploying infrastructure-wide device configuration changes during scheduled runs
Other platforms for T1546.017
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Udev Rule for USB Device Persistence
Expected signal: File creation event for /etc/udev/rules.d/99-argus-test.rules. Process creation for tee and udevadm. Auditd records for file creation in /etc/udev/rules.d/. When a USB device is inserted, udevd spawns bash to execute the RUN directive — child process of udevd.
- Test 2Create Udev Rule Triggered by Network Interface
Expected signal: File creation event for 99-argus-net-test.rules in /etc/udev/rules.d/. The rule fires when a network interface is added — logger is spawned by udevd as a child process, creating a syslog entry. Systemd journal shows udevd running the RUN directive.
- Test 3Enumerate All Custom Udev Rules
Expected signal: Process creation for grep, ls with udev directory arguments. Read-only — no modifications. The output reveals all custom rules and their RUN directives.
Unlock Pro Content
Get the full detection package for T1546.017 including response playbook, investigation guide, and atomic red team tests.