ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT044
  • Created: 02nd June 2024
  • Updated: 02nd June 2024
  • Platform: Linux
  • Contributor: The ITM Team

Linux dpkg Log

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

Sections

ID Name Description
IF009Installing Unapproved Software

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

PR003Software Installation

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

IF005Exfiltration via Messaging Applications

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

PR003.001Installing Virtual Machines

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

PR003.002Installing VPN Applications

A subject installs a VPN application that allows them to tunnel their traffic.

PR003.003Installing Browsers

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

PR003.005Installing Cloud Storage Applications

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

PR003.006Installing Note-Taking Applications

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

PR003.007Installing Messenger Applications

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

PR003.008Installing SSH Clients

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

PR003.009Installing FTP Clients

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

PR003.010Installing RDP Clients

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

PR003.011Installing Screen Sharing Software

A subject installs screen sharing software which can be used to capture images or other information from a target system.