This detection rule identifies the installation of potentially malicious tools within Linux containers, typically carried out by attackers manipulating the environment for lateral movement or reconnaissance. The rule monitors specific package management commands (like `apt`, `yum`, and `apk`) executed interactively, suggesting hands-on malicious activity. Indicators of such activities include installation of utilities such as `curl`, `netcat`, and `socat`, often used in attacks to fetch payloads or communicate back to an external command and control server. The detection logic captures processes started in Linux environments marked as interactive, specifying conditions where harmful packages might be installed. The rule is integral for maintaining the integrity of containerized applications and responding to unauthorized software installations effectively.