Home
ATT&CK Techniques
T1072 Software Deployment Tools

T1072 Software Deployment Tools Mappings

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
SA-10	Developer Configuration Management	Protects	T1072	Software Deployment Tools
SA-09	External System Services	Protects	T1072	Software Deployment Tools
CM-11	User-installed Software	Protects	T1072	Software Deployment Tools
AC-12	Session Termination	Protects	T1072	Software Deployment Tools
AC-02	Account Management	Protects	T1072	Software Deployment Tools
AC-20	Use of External Systems	Protects	T1072	Software Deployment Tools
AC-03	Access Enforcement	Protects	T1072	Software Deployment Tools
AC-04	Information Flow Enforcement	Protects	T1072	Software Deployment Tools
AC-05	Separation of Duties	Protects	T1072	Software Deployment Tools
AC-06	Least Privilege	Protects	T1072	Software Deployment Tools
CA-07	Continuous Monitoring	Protects	T1072	Software Deployment Tools
CM-02	Baseline Configuration	Protects	T1072	Software Deployment Tools
CM-05	Access Restrictions for Change	Protects	T1072	Software Deployment Tools
CM-06	Configuration Settings	Protects	T1072	Software Deployment Tools
CM-07	Least Functionality	Protects	T1072	Software Deployment Tools
CM-08	System Component Inventory	Protects	T1072	Software Deployment Tools
IA-02	Identification and Authentication (organizational Users)	Protects	T1072	Software Deployment Tools
IA-05	Authenticator Management	Protects	T1072	Software Deployment Tools
SC-12	Cryptographic Key Establishment and Management	Protects	T1072	Software Deployment Tools
SC-17	Public Key Infrastructure Certificates	Protects	T1072	Software Deployment Tools
SC-46	Cross Domain Policy Enforcement	Protects	T1072	Software Deployment Tools
SC-07	Boundary Protection	Protects	T1072	Software Deployment Tools
SI-02	Flaw Remediation	Protects	T1072	Software Deployment Tools
SI-23	Information Fragmentation	Protects	T1072	Software Deployment Tools
SI-03	Malicious Code Protection	Protects	T1072	Software Deployment Tools
SI-04	System Monitoring	Protects	T1072	Software Deployment Tools
SI-07	Software, Firmware, and Information Integrity	Protects	T1072	Software Deployment Tools
DEF-SecScore-E3	Secure Score	Technique Scores	T1072	Software Deployment Tools	Comments Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection) References https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide https://security.microsoft.com/securescore?