Udev Rules

Information

• Name: Udev Rules

• ID: T1546.017

• Tactics: TA0003, TA0004

• Technique: T1546

Introduction

Udev Rules (T1546.017) is a sub-technique under the MITRE ATT&CK framework focused on adversaries leveraging Linux udev rules to gain persistence or escalate privileges. Udev is a device manager for the Linux kernel, responsible for managing device nodes in the /dev directory. Attackers can abuse udev rules by inserting malicious rules to execute arbitrary commands or scripts when specific device events occur. This method allows adversaries to maintain persistence, escalate privileges, or execute commands without explicit user interaction, making it a subtle and potentially powerful technique.

Deep Dive Into Technique

Udev is a Linux subsystem that dynamically manages device nodes in the /dev directory. It listens to kernel events related to hardware and device changes (e.g., USB device insertion, disk mount events) and executes associated rules defined in files typically located in /etc/udev/rules.d/ or /lib/udev/rules.d/.

Attackers leverage udev rules by:

• Creating or modifying udev rule files to execute arbitrary commands or scripts when triggered by specific events.

• Utilizing elevated permissions (root privileges) typically associated with udev rule execution to escalate privileges or maintain persistence.

• Ensuring rule files have names ending with .rules and placing them in standard directories (/etc/udev/rules.d/) to blend in with legitimate system files.

Typical malicious udev rule entries include:

ACTION=="add", SUBSYSTEM=="usb", RUN+="/bin/sh -c '/tmp/malicious_script.sh'"

In this example:

• The rule triggers when a USB device is connected (ACTION=="add", SUBSYSTEM=="usb").

• It executes a malicious script located at /tmp/malicious_script.sh.

Attackers may also:

• Hide malicious scripts or binaries in inconspicuous locations.

• Use legitimate-sounding filenames for udev rules to evade detection.

• Exploit udev rules in combination with physical access or remote exploitation to trigger malicious payloads.

When this Technique is Usually Used

Attackers commonly use malicious udev rules in various scenarios and stages:

• Persistence: Establishing long-term presence on compromised Linux systems by ensuring malicious scripts execute automatically on system events or reboots.

• Privilege Escalation: Leveraging the elevated privileges of udev rules (executed as root) to escalate privileges from a lower-privileged user.

• Physical Access Attacks: Deploying malicious udev rules to execute payloads automatically when removable devices (e.g., USB drives) are connected.

• Advanced Persistent Threats (APT): Maintaining stealthy persistence on compromised critical infrastructure or servers where detection is less likely.

• Supply Chain Attacks: Embedding malicious udev rules into compromised system images or installation scripts, allowing attackers to gain persistence across multiple deployments.

How this Technique is Usually Detected

Detection of malicious udev rules typically involves:

• File Integrity Monitoring (FIM):

  • Monitoring /etc/udev/rules.d/ and /lib/udev/rules.d/ for unauthorized additions or modifications.

  • Tools such as AIDE, Tripwire, or OSSEC can detect changes to critical system directories.

• Audit Logging:

  • Enabling Linux auditd service to log file creation, modification, or deletion events in udev directories.

  • Reviewing audit logs (/var/log/audit/audit.log) for suspicious activity.

• Monitoring Process Execution:

  • Using endpoint detection and response (EDR) solutions or host-based intrusion detection systems (HIDS) to detect unexpected or suspicious process executions initiated by udev.

  • Tracking processes spawned from udev (udevd) to identify abnormal command execution.

• Indicator of Compromise (IoC) Analysis:

  • Looking for suspicious rule files with unusual or uncommon filenames (e.g., random strings, unexpected naming patterns).

  • Inspecting rule files for suspicious commands, scripts, or binaries executed upon device events.

  • Checking for scripts or binaries located in unusual directories or temporary locations (/tmp, /dev/shm, /var/tmp).

Why it is Important to Detect This Technique

Detecting malicious udev rules is critical due to their potential severe impacts:

• Persistence:

  • Attackers can maintain a long-term foothold on compromised systems, surviving reboots and standard remediation procedures.

  • Malicious rules can remain undetected for extended periods, allowing attackers continuous access.

• Privilege Escalation:

  • Udev rules run with root privileges, enabling attackers to escalate privileges easily from lower-level user accounts.

  • Elevated privileges can facilitate further lateral movement, data exfiltration, or system compromise.

• Stealth and Difficulty of Detection:

  • Malicious udev rules can blend in with legitimate system files, making detection challenging without proper monitoring.

  • Attackers can leverage subtle triggering events (e.g., device insertions) to execute payloads quietly, avoiding immediate suspicion.

• Potential for Damage:

  • Attackers can execute arbitrary commands, delete critical data, install rootkits, or perform other destructive actions.

  • Compromise of critical infrastructure, servers, or sensitive systems can lead to significant operational disruptions and data breaches.

Early detection and response can significantly reduce the risk of prolonged compromise, privilege escalation, and damage to organizational assets.

Examples

Real-world examples and scenarios involving malicious udev rules include:

• USB Rubber Ducky and Bash Bunny Attacks:

  • Attackers use physical USB devices (e.g., Hak5's USB Rubber Ducky or Bash Bunny) to insert malicious udev rules.

  • Upon insertion, the device triggers a udev rule executing reverse shells, malware payloads, or privilege escalation scripts.

• Persistence via udev Rules in Linux Malware Campaigns:

  • Linux malware campaigns (e.g., HiddenWasp, Skidmap) employing malicious udev rules to maintain persistence across reboots.

  • Attackers deploy rules that execute payloads silently whenever specific hardware events occur.

• Privilege Escalation Exploits:

  • Exploiting vulnerabilities or misconfigurations that allow attackers with limited privileges to write udev rules.

  • Attackers create rules executing malicious scripts with root privileges, escalating their privileges and compromising the system further.

• Supply Chain Attacks:

  • Attackers compromise Linux system installation packages or images, embedding malicious udev rules.

  • Victims unknowingly install compromised system images, granting attackers persistent backdoor access across multiple deployments.

These examples highlight the importance of vigilance, robust detection mechanisms, and proactive monitoring of system configurations and file integrity to identify and mitigate malicious udev rule exploitation.