Goal

Detect package installations via common Linux package managers (apt, yum, apk). Attackers install tools such as network scanners, reverse shells, or exploit frameworks after gaining initial access.

Strategy

This rule monitors Process Activity Launch events (ocsf.class_uid:1007 @ocsf.activity_id:1) where the process name is a package manager and the command line includes an install subcommand. ocsf.process.name identifies the package manager, and ocsf.process.cmd_line captures the full argument string including the subcommand and package name.

Triage and response

1. Review {{@ocsf.process.cmd_line}} to identify which package was installed on {{host}}.
2. Determine whether the installation was authorized — check change management records and verify with the system owner.
3. Identify who ran the command using {{@ocsf.actor.user.name}}.
4. If unauthorized, remove the installed package and investigate the attacker’s access vector.