title: Udev Rules (T1546.017)
id: df00tech-t1546-017
status: experimental
description: "Adversaries may establish persistence by executing malicious content triggered by udev (userspace /dev) rules. Udev is the Linux kernel device manager that handles device events and dynamic file system creation in /dev. Udev rules files (stored at /etc/udev/rules.d/ and /lib/udev/rules.d/) define actions to execute when devices are connected or disconnected, or when other hardware events occur. Adversaries can create malicious udev rules that execute arbitrary commands — potentially as root — when specific device events occur. Since udev runs as root, any RUN directive in a udev rule executes with root privileges, providing both persistence and privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1546/017/
  - https://df00tech.com/detections/T1546.017
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.017
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Linux package installations (apt, dpkg, rpm, yum) that install device management rules as part of hardware driver or udev rule packages"
  - "Configuration management tools (Ansible, Puppet, Chef, Salt) that deploy custom udev rules for device configuration as part of system baseline enforcement"
  - "Hardware vendor software that installs udev rules to configure specific hardware devices (e.g., USB security keys, printers, network interfaces)"
  - System administrators manually creating udev rules to manage device permissions or automate device-triggered workflows
level: high