Detections
- ID: DT044
- Created: 02nd June 2024
- Updated: 02nd June 2024
- Platform: Linux
- Contributor: The ITM Team
Linux dpkg Log
The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.
This log contains the timestamp, the action conducted, and the package name and version.
To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*
To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*
Sections
| ID | Name | Description |
|---|---|---|
| IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
| PR003 | Software Installation | A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies. |
| IF005 | Exfiltration via Messaging Applications | A subject uses a messaging application to exfiltrate data through messages or uploaded media. |
| PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
| PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
| PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
| PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
| PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
| PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
| PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
| PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
| PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
| PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |