Detect Udev Rules in Splunk
Adversaries may establish persistence by executing malicious content triggered by udev (userspace /dev) rules. Udev is the Linux kernel device manager that handles device events and dynamic file system creation in /dev. Udev rules files (stored at /etc/udev/rules.d/ and /lib/udev/rules.d/) define actions to execute when devices are connected or disconnected, or when other hardware events occur. Adversaries can create malicious udev rules that execute arbitrary commands — potentially as root — when specific device events occur. Since udev runs as root, any RUN directive in a udev rule executes with root privileges, providing both persistence and privilege escalation.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.017 Udev Rules
- Canonical reference
- https://attack.mitre.org/techniques/T1546/017/
SPL Detection Query
index=syslog (sourcetype=linux_secure OR sourcetype=syslog)
| eval IsUdevRulesWrite=if(
match(_raw, "(/etc/udev/rules\.d/|/lib/udev/rules\.d/|/usr/lib/udev/rules\.d/)")
AND match(_raw, "\.rules")
AND match(_raw, "(wrote|write|create|WRITE|CREATE|open.*O_CREAT|open.*WRONLY)"),
1, 0
)
| eval IsUdevExec=if(
match(_raw, "udevadm") AND match(_raw, "(trigger|settle|reload|control)"),
1, 0
)
| eval SuspiciousWriter=if(
IsUdevRulesWrite=1
AND NOT match(_raw, "(apt|dpkg|rpm|yum|dnf|zypper|ansible|puppet|chef|salt)"),
1, 0
)
| where IsUdevRulesWrite=1 OR (IsUdevExec=1 AND SuspiciousWriter=1)
| table _time, host, user, _raw, IsUdevRulesWrite, IsUdevExec, SuspiciousWriter
| sort - _timeDetects udev rules file modifications and associated udevadm commands using Linux syslog and auditd data. Requires auditd file watch rules on udev directories for highest fidelity: auditctl -w /etc/udev/rules.d/ -p wa -k udev_rules. Also monitors for udevadm trigger/reload commands that activate newly created rules without requiring a reboot.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Package managers installing device management rules
- Configuration management tools deploying udev rules
- Hardware vendor software installing device rules
- System administrators manually creating udev rules
Other platforms for T1546.017
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Udev Rule for USB Device Persistence
Expected signal: File creation event for /etc/udev/rules.d/99-argus-test.rules. Process creation for tee and udevadm. Auditd records for file creation in /etc/udev/rules.d/. When a USB device is inserted, udevd spawns bash to execute the RUN directive — child process of udevd.
- Test 2Create Udev Rule Triggered by Network Interface
Expected signal: File creation event for 99-argus-net-test.rules in /etc/udev/rules.d/. The rule fires when a network interface is added — logger is spawned by udevd as a child process, creating a syslog entry. Systemd journal shows udevd running the RUN directive.
- Test 3Enumerate All Custom Udev Rules
Expected signal: Process creation for grep, ls with udev directory arguments. Read-only — no modifications. The output reveals all custom rules and their RUN directives.
Unlock Pro Content
Get the full detection package for T1546.017 including response playbook, investigation guide, and atomic red team tests.