Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Package Installed - Linux

Detects installation of suspicious packages using system installation utilities

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jan 03Updated Thu Jan 01700fb7e8-2981-401c-8430-be58e189e741linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic5 selectors
detection:
    selection_tool_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'install'
    selection_tool_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'localinstall'
            - 'install'
    selection_tool_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: '-i'
    selection_tool_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--install'
            - '-i'
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious packages
            - 'nmap'
            - ' nc'
            - 'netcat'
            - 'wireshark'
            - 'tshark'
            - 'openconnect'
            - 'proxychains'
            - 'socat'
    condition: 1 of selection_tool_* and selection_keyword
False Positives

Legitimate administration activities

References
1
Resolving title…
gist.githubusercontent.com
MITRE ATT&CK
Rule Metadata
Rule ID
700fb7e8-2981-401c-8430-be58e189e741
Status
test
Level
medium
Type
Detection
Created
Tue Jan 03
Modified
Thu Jan 01
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml
Raw Tags
attack.defense-evasionattack.t1553.004
View on GitHub