This detection rule, authored by Elastic, identifies the installation of Debian packages using the dpkg command, when initiated by an unusual parent process. The dpkg command is pivotal for managing package installations on Linux systems, but it can also be exploited by attackers to install malicious software. This rule particularly targets scenarios where the dpkg command is invoked by a parent process that deviates from standard executable patterns, which may indicate a potentially unauthorized installation. The rule employs a query that focuses on recent process activity, specifically looking for instances where dpkg is executed with the install flags '-i' or '--install'. If such an event is detected, it could warrant further investigation to ensure that the package installation is legitimate. Factors to consider include the legitimacy of the parent process, source of the package, and the user permissions under which dpkg was executed. The rule is essential in helping organizations maintain a secure Linux environment by detecting anomalous activities related to package management that may suggest compromise.