Description
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the /dev directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with match keys to specify the conditions a hardware event must meet and action keys to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in /etc/udev/rules.d/, /run/udev/rules.d/, /usr/lib/udev/rules.d/, /usr/local/lib/udev/rules.d/, and /lib/udev/rules.d/. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)
Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as /dev/random, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key RUN+= to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
Platforms
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1219 | REPTILE | Malware | [REPTILE](https://attack.mitre.org/software/S1219) has used udev for persistence.(Citation: Google Cloud Mandiant UNC3886 2024) |
References
- Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024.
- Ruben Groenewoud. (2024, August 29). Linux Detection Engineering - A Sequel on Persistence Mechanisms. Retrieved October 16, 2024.
- Zachary Reichert. (2024, August 19). Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules. Retrieved September 26, 2024.
Frequently Asked Questions
What is T1546.017 (Udev Rules)?
T1546.017 is a MITRE ATT&CK technique named 'Udev Rules'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to ps...
How can T1546.017 be detected?
Detection of T1546.017 (Udev Rules) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.017?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1546.017?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.