Adversaries may uninstall Linux packages to remove forensic artifacts or disable security tools, which can help them persist undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential removal of critical security components or malicious cleanup activities.
Detection Rule
title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
- https://sysdig.com/blog/mitre-defense-evasion-falco
- https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
- https://linuxhint.com/uninstall_yum_package/
- https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.defense-evasion
- attack.t1070
logsource:
product: linux
category: process_creation
detection:
selection_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'erase'
- 'remove'
selection_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains:
- 'remove'
- 'purge'
selection_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--remove '
- ' -r '
selection_rpm:
Image|endswith: '/rpm'
CommandLine|contains: ' -e '
condition: 1 of selection_*
falsepositives:
- Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low
imProcessCreate
| where (TargetProcessName endswith "/yum" and (TargetProcessCommandLine contains "erase" or TargetProcessCommandLine contains "remove")) or ((TargetProcessName endswith "/apt" or TargetProcessName endswith "/apt-get") and (TargetProcessCommandLine contains "remove" or TargetProcessCommandLine contains "purge")) or (TargetProcessName endswith "/dpkg" and (TargetProcessCommandLine contains "--remove " or TargetProcessCommandLine contains " -r ")) or (TargetProcessName endswith "/rpm" and TargetProcessCommandLine contains " -e ")Scenario: System Maintenance via apt or yum
Description: A system administrator is performing routine package uninstallation using apt remove or yum remove as part of system maintenance.
Filter/Exclusion: Check for presence of apt or yum in the command line, and filter out commands that include --purge or --remove with known maintenance packages (e.g., nginx, vsftpd).
Scenario: Scheduled Job for Package Cleanup
Description: A scheduled job (e.g., via cron or systemd-timedate) is configured to remove outdated packages using apt autoremove or yum autoremove.
Filter/Exclusion: Filter commands that include autoremove or clean and check for job execution via cron or systemd timers.
Scenario: Package Removal via dnf in a DevOps Pipeline
Description: A CI/CD pipeline or DevOps tool (e.g., Jenkins, GitLab CI) is configured to remove specific packages as part of environment setup or cleanup.
Filter/Exclusion: Check for command execution context (e.g., sudo -u jenkins, CI=true) and filter out known DevOps tooling commands.
Scenario: User-Initiated Package Removal via rpm
Description: A regular user is removing a package using rpm -e as part of a local system cleanup or dependency resolution.
Filter/Exclusion: Filter out commands executed by non-root users and check for presence of --nodeps or --allmatches flags.
Scenario: Package Removal via zypper in a SUSE Environment
Description: A system administrator is using zypper remove to uninstall packages in