This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.
It uses the new_terms rule type to minimize FPs across hosts.
Quite some hits in telemetry last 90d, but by using the new_terms rule type this should decrease. Also, this rule is meant to be relatively noisy, as it is a low confidence/risk rule. It grants an extra layer of visibility into RPM package persistence.
Summary
This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.
It uses the new_terms rule type to minimize FPs across hosts.
Quite some hits in telemetry last 90d, but by using the new_terms rule type this should decrease. Also, this rule is meant to be relatively noisy, as it is a low confidence/risk rule. It grants an extra layer of visibility into RPM package persistence.