← Back to SOC feed Coverage →

Suspicious Package Installed - Linux

sigma MEDIUM SigmaHQ
T1553.004
imProcessCreate
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at SigmaHQ →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Detects installation of suspicious packages using system installation utilities

Detection Rule

Sigma (Original)

title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
    - attack.defense-evasion
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection_tool_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'install'
    selection_tool_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'localinstall'
            - 'install'
    selection_tool_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: '-i'
    selection_tool_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--install'
            - '-i'
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious packages
            - 'nmap'
            - ' nc'
            - 'netcat'
            - 'wireshark'
            - 'tshark'
            - 'openconnect'
            - 'proxychains'
            - 'socat'
    condition: 1 of selection_tool_* and selection_keyword
falsepositives:
    - Legitimate administration activities
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (((TargetProcessName endswith "/apt" or TargetProcessName endswith "/apt-get") and TargetProcessCommandLine contains "install") or (TargetProcessName endswith "/yum" and (TargetProcessCommandLine contains "localinstall" or TargetProcessCommandLine contains "install")) or (TargetProcessName endswith "/rpm" and TargetProcessCommandLine contains "-i") or (TargetProcessName endswith "/dpkg" and (TargetProcessCommandLine contains "--install" or TargetProcessCommandLine contains "-i"))) and (TargetProcessCommandLine contains "nmap" or TargetProcessCommandLine contains " nc" or TargetProcessCommandLine contains "netcat" or TargetProcessCommandLine contains "wireshark" or TargetProcessCommandLine contains "tshark" or TargetProcessCommandLine contains "openconnect" or TargetProcessCommandLine contains "proxychains" or TargetProcessCommandLine contains "socat")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml