Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching software deployment tools and systems regularly helps prevent potential remote access through Exploitation for Privilege Escalation.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of revocation of keys and key management. Employing key protection strategies for key material used in software deployment tools including signing, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse software deployment tools.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. The permissions required for execution of this technique vary by system configuration. Employing proper system isolation can protect critical network systems from potential exploitation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1072 | Software Deployment Tools | |
| action.malware.variety.Adminware | System or network utilities (e.g., PsTools, Netcat) | related-to | T1072 | Software Deployment Tools | |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1072 | Software Deployment Tools | |
| action.malware.vector.Software update | Included in automated software update | related-to | T1072 | Software Deployment Tools | |
| attribute.integrity.variety.Software installation | Software installation or code modification | related-to | T1072 | Software Deployment Tools |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1072 | Software Deployment Tools |
Comments
This control can be used to limit access to critical network systems such as software deployment tools.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1072 | Software Deployment Tools |
Comments
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1072 | Software Deployment Tools |
Comments
This control provides partial coverage of attacks that leverage software flaws in unpatched deployment tools since it enables automated updates of software and rapid configuration change management.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | technique_scores | T1072 | Software Deployment Tools |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and container images.
References
|
| google_secops | Google Security Operations | technique_scores | T1072 | Software Deployment Tools |
Comments
Google Security Ops is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool. Note: This rule requires installation of auditbeat on the host machine to properly function.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral
References
|
| vm_manager | VM Manager | technique_scores | T1072 | Software Deployment Tools |
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1072 | Software Deployment Tools |
Comments
VPC security groups and network access control lists (NACLs) can be used to limit access to critical network systems such as software deployment tools.
References
|