MITRE ATT&CK Technique
Description
Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024) Adversaries may abuse the udev subsystem by adding or modifying rules in udev rule files to execute malicious content. For example, an adversary may configure a rule to execute their binary each time the pseudo-device file, such as `/dev/random`, is accessed by an application. Although udev is limited to running short tasks and is restricted by systemd-udevd's sandbox (blocking network and filesystem access), attackers may use scripting commands under the action key `RUN+=` to detach and run the malicious content’s process in the background to bypass these controls.(Citation: Reichert aon sedexp 2024)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-09-26T17:02:09.888Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may maintain persistence through executing '
'malicious content triggered using udev rules. Udev is the '
'Linux kernel device manager that dynamically manages device '
'nodes, handles access to pseudo-device files in the `/dev` '
'directory, and responds to hardware events, such as when '
'external devices like hard drives or keyboards are plugged in '
'or removed. Udev uses rule files with `match keys` to specify '
'the conditions a hardware event must meet and `action keys` '
'to define the actions that should follow. Root permissions '
'are required to create, modify, or delete rule files located '
'in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, '
'`/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and '
'`/lib/udev/rules.d/`. Rule priority is determined by both '
'directory and by the digit prefix in the rule '
'filename.(Citation: Ignacio Udev research 2024)(Citation: '
'Elastic Linux Persistence 2024)\n'
'\n'
'Adversaries may abuse the udev subsystem by adding or '
'modifying rules in udev rule files to execute malicious '
'content. For example, an adversary may configure a rule to '
'execute their binary each time the pseudo-device file, such '
'as `/dev/random`, is accessed by an application. Although '
'udev is limited to running short tasks and is restricted by '
"systemd-udevd's sandbox (blocking network and filesystem "
'access), attackers may use scripting commands under the '
'action key `RUN+=` to detach and run the malicious content’s '
'process in the background to bypass these controls.(Citation: '
'Reichert aon sedexp 2024)',
'external_references': [{'external_id': 'T1546.017',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1546/017'},
{'description': 'Eder P. Ignacio. (2024, February '
'21). Leveraging Linux udev for '
'persistence. Retrieved September 26, '
'2024.',
'source_name': 'Ignacio Udev research 2024',
'url': 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'},
{'description': 'Ruben Groenewoud. (2024, August 29). '
'Linux Detection Engineering - A '
'Sequel on Persistence Mechanisms. '
'Retrieved October 16, 2024.',
'source_name': 'Elastic Linux Persistence 2024',
'url': 'https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms'},
{'description': 'Zachary Reichert. (2024, August 19). '
'Unveiling "sedexp": A Stealthy Linux '
'Malware Exploiting udev Rules. '
'Retrieved September 26, 2024.',
'source_name': 'Reichert aon sedexp 2024',
'url': 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'}],
'id': 'attack-pattern--f4c3f644-ab33-433d-8648-75cc03a95792',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:37.034Z',
'name': 'Udev Rules',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Eduardo González Hernández (@codexlynx)',
'Eder Pérez Ignacio, @ch4ik0',
'Wirapong Petshagun',
'@grahamhelton3',
'Ruben Groenewoud (@RFGroenewoud)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux'],
'x_mitre_version': '1.0'}