Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
Sigma rule (View on GitHub)
1title: Suspicious Package Installed - Linux
2id: 700fb7e8-2981-401c-8430-be58e189e741
3status: test
4description: Detects installation of suspicious packages using system installation utilities
5references:
6 - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-03
9modified: 2026-01-01
10tags:
11 - attack.defense-evasion
12 - attack.t1553.004
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection_tool_apt:
18 Image|endswith:
19 - '/apt'
20 - '/apt-get'
21 CommandLine|contains: 'install'
22 selection_tool_yum:
23 Image|endswith: '/yum'
24 CommandLine|contains:
25 - 'localinstall'
26 - 'install'
27 selection_tool_rpm:
28 Image|endswith: '/rpm'
29 CommandLine|contains: '-i'
30 selection_tool_dpkg:
31 Image|endswith: '/dpkg'
32 CommandLine|contains:
33 - '--install'
34 - '-i'
35 selection_keyword:
36 CommandLine|contains:
37 # Add more suspicious packages
38 - 'nmap'
39 - ' nc'
40 - 'netcat'
41 - 'wireshark'
42 - 'tshark'
43 - 'openconnect'
44 - 'proxychains'
45 - 'socat'
46 condition: 1 of selection_tool_* and selection_keyword
47falsepositives:
48 - Legitimate administration activities
49level: medium
References
-
python2 exchange.py mail.budget.gov.mm administrator@budget.gov.mm git clone https://github.com/Udyz/proxyshell-auto.git cd proxyshell-auto/ ls python3 proxyshell.py python3 proxyshell.py -t mail.b...
Read More
Related rules
- New Root Certificate Installed Via Certutil.EXE
- Active Directory Certificate Services Denied Certificate Enrollment Request
- Cisco Crypto Commands
- Install Root Certificate
- New Root Certificate Installed Via CertMgr.EXE