Linux Package Uninstall

calendar Aug 12, 2024 · attack.defense-evasion attack.t1070  ·
Share on: linkedin copy

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Sigma rule (View on GitHub)

 1title: Linux Package Uninstall
 2id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
 3status: test
 4description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
 5references:
 6    - https://sysdig.com/blog/mitre-defense-evasion-falco
 7    - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
 8    - https://linuxhint.com/uninstall_yum_package/
 9    - https://linuxhint.com/uninstall-debian-packages/
10author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
11date: 2023-03-09
12tags:
13    - attack.defense-evasion
14    - attack.t1070
15logsource:
16    product: linux
17    category: process_creation
18detection:
19    selection_yum:
20        Image|endswith: '/yum'
21        CommandLine|contains:
22            - 'erase'
23            - 'remove'
24    selection_apt:
25        Image|endswith:
26            - '/apt'
27            - '/apt-get'
28        CommandLine|contains:
29            - 'remove'
30            - 'purge'
31    selection_dpkg:
32        Image|endswith: '/dpkg'
33        CommandLine|contains:
34            - '--remove '
35            - ' -r '
36    selection_rpm:
37        Image|endswith: '/rpm'
38        CommandLine|contains: ' -e '
39    condition: 1 of selection_*
40falsepositives:
41    - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
42level: low

References

  • Detecting MITRE ATT&CK: Defense evasion techniques with Falco

    Defense evasion inside MITRE ATT&CK covers several techniques an attacker can use to avoid getting caught. Learn how to protect from those.


    Read More

  • How to Install a Software on Linux Using Yum Command?

    How to Install a Software on Linux Using Yum Command - In this article, we will learn about “how to use the Yum command” for installing the packages. Also note that, the repositories on the Cent OS 6.7 YUM (Yellowdog Update Modified) is a tool used to develop by Redhat. You can use this materials for learning the YUM.Managing Software with YUMUse th


    Read More

  • How to Uninstall a Yum Package

    Tutorial on the steps for uninstalling a single package using Yum and how to specify the multiple packages with the same command using relevant examples.


    Read More

  • Uninstall Ubuntu and Debian Packages With apt-get and dpkg

    This article provides a helpful guide on uninstalling Ubuntu and Debian packages with apt-get and dpkg. The Debian-based Linux distributions offer a variety of ways to remove packages. These basic Debian commands are imperative for any user at any level to learn. In addition, Ubuntu includes the aptitude packages manager.


    Read More

Related rules

to-top