Detections
- ID: DT044
- Created: 02nd June 2024
- Updated: 02nd June 2024
- Platform: Linux
- Contributor: The ITM Team
Linux dpkg Log
The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.
This log contains the timestamp, the action conducted, and the package name and version.
To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*
To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*
Sections
| ID | Name | Description |
|---|---|---|
| IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
| PR003 | Software Installation | A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies. |
| IF005 | Exfiltration via Messaging Applications | A subject uses a messaging application to exfiltrate data through messages or uploaded media. |
| PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
| PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
| PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
| PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
| PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
| PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
| PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
| PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
| PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
| PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
| PR006.004 | Security Enumeration via Network Activity | A subject attempts to identify security software by monitoring network traffic. |
| PR003.012 | Installation of Dark Web-Capable Browsers | The subject installs a browser capable of accessing anonymity networks, such as the Tor Browser (used for
Installation of the Tor Browser Bundle typically involves downloading a signed executable or compressed package from
In environments with proxy filtering, the subject may attempt to chain Tor through bridge relays or VPNs, obfuscate traffic using SOCKS5 tunneling, or execute from non-standard directories (e.g., cloud-sync folders, external volumes). Some subjects bypass endpoint controls entirely by booting into live-operating systems (e.g., Tails, Whonix) which route all system traffic through Tor by default and leave minimal forensic artifacts on host storage.
This installation is rarely accidental and often coincides with other policy evasions or drift indicators. The presence of anonymizing tools—even in dormant form—warrants scrutiny as a preparatory indicator linked to potential data exfiltration, credential harvesting, or external coordination. |