---
title: Software package installed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Software package installed
---

# Software package installed
Classification:attackTactic:[TA0002-execution](https://attack.mitre.org/tactics/TA0002)Technique:[T1059-command-and-scripting-interpreter](https://attack.mitre.org/techniques/T1059) 
## Goal{% #goal %}

Detect package installations via common Linux package managers (`apt`, `yum`, `apk`). Attackers install tools such as network scanners, reverse shells, or exploit frameworks after gaining initial access.

## Strategy{% #strategy %}

This rule monitors Process Activity Launch events (`ocsf.class_uid:1007 @ocsf.activity_id:1`) where the process name is a package manager and the command line includes an install subcommand. `ocsf.process.name` identifies the package manager, and `ocsf.process.cmd_line` captures the full argument string including the subcommand and package name.

## Triage and response{% #triage-and-response %}

1. Review `{{@ocsf.process.cmd_line}}` to identify which package was installed on `{{host}}`.
1. Determine whether the installation was authorized — check change management records and verify with the system owner.
1. Identify who ran the command using `{{@ocsf.actor.user.name}}`.
1. If unauthorized, remove the installed package and investigate the attacker's access vector.