Detect Udev Rules in CrowdStrike LogScale
Adversaries may establish persistence by executing malicious content triggered by udev (userspace /dev) rules. Udev is the Linux kernel device manager that handles device events and dynamic file system creation in /dev. Udev rules files (stored at /etc/udev/rules.d/ and /lib/udev/rules.d/) define actions to execute when devices are connected or disconnected, or when other hardware events occur. Adversaries can create malicious udev rules that execute arbitrary commands — potentially as root — when specific device events occur. Since udev runs as root, any RUN directive in a udev rule executes with root privileges, providing both persistence and privilege escalation.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.017 Udev Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1546/017/
LogScale Detection Query
// Detect suspicious writes to udev rules directories
(
#event_simpleName = "PeFileWritten" OR #event_simpleName = "SuspiciousFileWrite"
)
| TargetFileName = /\.(rules)$/
| TargetDirectory = /\/(etc|lib|usr\/lib|run)\/udev\/rules\.d\//
| ImageFileName != /\/(usr\/)?(bin|sbin)\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef-client|salt-minion)/
| table([aid, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, TargetDirectory, @timestamp])
// Union: detect suspicious udevadm invocations
| union
(
#event_simpleName = "ProcessRollup2"
| ImageFileName = /\/udevadm$/
| CommandLine = /(trigger|settle|reload|control)/
| ParentBaseFileName != /(apt|apt-get|dpkg|rpm|yum|dnf|zypper|systemd|udevd|udev)/
| table([aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, @timestamp])
)
| sort(@timestamp, order=desc)Detects suspicious writes to udev rules directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/, /run/udev/rules.d/) by processes not matching known package managers or configuration management tools. Also detects udevadm invocations with trigger, settle, reload, or control arguments from unexpected parent processes. Attackers abuse udev RUN directives to execute commands as root on device events for persistent access.
Data Sources
Required Tables
False Positives & Tuning
- Package manager operations (apt, dpkg, yum, rpm, dnf) installing hardware drivers, firmware packages, or kernel modules that include bundled udev rules files
- System administrators directly editing udev rules files for legitimate device management tasks such as USB device permissions, persistent network interface naming, or custom device event handlers
- Configuration management tools (Ansible, Puppet, Chef, SaltStack) applying device configuration policies across Linux hosts during scheduled infrastructure automation runs
Other platforms for T1546.017
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Udev Rule for USB Device Persistence
Expected signal: File creation event for /etc/udev/rules.d/99-argus-test.rules. Process creation for tee and udevadm. Auditd records for file creation in /etc/udev/rules.d/. When a USB device is inserted, udevd spawns bash to execute the RUN directive — child process of udevd.
- Test 2Create Udev Rule Triggered by Network Interface
Expected signal: File creation event for 99-argus-net-test.rules in /etc/udev/rules.d/. The rule fires when a network interface is added — logger is spawned by udevd as a child process, creating a syslog entry. Systemd journal shows udevd running the RUN directive.
- Test 3Enumerate All Custom Udev Rules
Expected signal: Process creation for grep, ls with udev directory arguments. Read-only — no modifications. The output reveals all custom rules and their RUN directives.
Unlock Pro Content
Get the full detection package for T1546.017 including response playbook, investigation guide, and atomic red team tests.