This detection rule identifies abnormal executions of the DPKG command by processes that are not associated with the DPKG package manager on Linux systems. The DPKG command is a core component for managing Debian packages, enabling users to install, remove, and manage software on Debian-based systems. However, cyber adversaries may exploit this command to install malicious software or perform unauthorized modifications. The rule flags instances where the DPKG command is executed by unexpected processes, indicating a potential security incident. Specifically, it checks if the process that initiated the DPKG command is not a legitimate part of the package management framework. This evaluation relies on identifying the executable paths and the relationships between the processes that initiated the DPKG command. The rule emphasizes the need for investigating these executions further to determine if the activity is malicious, supported by a structured approach to triage, analyze, and respond to detected anomalies.