“At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain site.

These rules contain three parameters that specify its applicability (ACTION== “add”), the device name (KERNEL== “sdb1”), and what script to run when the specified conditions are met (RUN+=“/path/to/script”).