ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT044
  • Created: 02nd June 2024
  • Updated: 02nd June 2024
  • Platform: Linux
  • Contributor: The ITM Team

Linux dpkg Log

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

Sections

ID Name Description
IF009Installing Unapproved Software

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

PR003Software Installation

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

IF005Exfiltration via Messaging Applications

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

PR003.001Installing Virtual Machines

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

PR003.002Installing VPN Applications

A subject installs a VPN application that allows them to tunnel their traffic.

PR003.003Installing Browsers

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

PR003.005Installing Cloud Storage Applications

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

PR003.006Installing Note-Taking Applications

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

PR003.007Installing Messenger Applications

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

PR003.008Installing SSH Clients

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

PR003.009Installing FTP Clients

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

PR003.010Installing RDP Clients

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

PR003.011Installing Screen Sharing Software

A subject installs screen sharing software which can be used to capture images or other information from a target system.

PR006.004Security Enumeration via Network Activity

A subject attempts to identify security software by monitoring network traffic.

PR003.012Installation of Dark Web-Capable Browsers

The subject installs a browser capable of accessing anonymity networks, such as the Tor Browser (used for .onion sites), I2P Router Console, or Freenet, as part of preparation for covert research, anonymous communication, or unmonitored data exchange. This behavior may support future infringement by enabling non-attributable activity outside sanctioned IT controls.

 

Installation of the Tor Browser Bundle typically involves downloading a signed executable or compressed package from https://www.torproject.org, executing an installer that unpacks a portable browser (a custom-hardened Firefox variant), and launching start-tor-browser.exe—which spawns both the Tor daemon (tor.exe) and the browser instance (firefox.exe) in a sandboxed environment. Configuration files such as torrc may be modified to enable pluggable transports (e.g., obfs4, meek) designed to evade deep packet inspection (DPI) or proxy enforcement.

 

In environments with proxy filtering, the subject may attempt to chain Tor through bridge relays or VPNs, obfuscate traffic using SOCKS5 tunneling, or execute from non-standard directories (e.g., cloud-sync folders, external volumes). Some subjects bypass endpoint controls entirely by booting into live-operating systems (e.g., Tails, Whonix) which route all system traffic through Tor by default and leave minimal forensic artifacts on host storage.

 

This installation is rarely accidental and often coincides with other policy evasions or drift indicators. The presence of anonymizing tools—even in dormant form—warrants scrutiny as a preparatory indicator linked to potential data exfiltration, credential harvesting, or external coordination.