• henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    17
    ·
    edit-2
    4 months ago

    “At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain site.

    These rules contain three parameters that specify its applicability (ACTION== “add”), the device name (KERNEL== “sdb1”), and what script to run when the specified conditions are met (RUN+=“/path/to/script”).