T1072 Software Deployment Tools Mappings

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)

Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1072 Software Deployment Tools
CM-06 Configuration Settings mitigates T1072 Software Deployment Tools
CM-05 Access Restrictions for Change mitigates T1072 Software Deployment Tools
IA-05 Authenticator Management mitigates T1072 Software Deployment Tools
SA-10 Developer Configuration Management mitigates T1072 Software Deployment Tools
SC-12 Cryptographic Key Establishment and Management mitigates T1072 Software Deployment Tools
SC-17 Public Key Infrastructure Certificates mitigates T1072 Software Deployment Tools
SI-23 Information Fragmentation mitigates T1072 Software Deployment Tools
SA-09 External System Services mitigates T1072 Software Deployment Tools
CM-11 User-installed Software mitigates T1072 Software Deployment Tools
SI-02 Flaw Remediation mitigates T1072 Software Deployment Tools
CM-08 System Component Inventory mitigates T1072 Software Deployment Tools
SC-46 Cross Domain Policy Enforcement mitigates T1072 Software Deployment Tools
SI-03 Malicious Code Protection mitigates T1072 Software Deployment Tools
SI-07 Software, Firmware, and Information Integrity mitigates T1072 Software Deployment Tools
AC-20 Use of External Systems mitigates T1072 Software Deployment Tools
CM-02 Baseline Configuration mitigates T1072 Software Deployment Tools
IA-02 Identification and Authentication (Organizational Users) mitigates T1072 Software Deployment Tools
CM-07 Least Functionality mitigates T1072 Software Deployment Tools
SI-04 System Monitoring mitigates T1072 Software Deployment Tools
AC-12 Session Termination mitigates T1072 Software Deployment Tools
AC-02 Account Management mitigates T1072 Software Deployment Tools
AC-03 Access Enforcement mitigates T1072 Software Deployment Tools
AC-04 Information Flow Enforcement mitigates T1072 Software Deployment Tools
AC-05 Separation of Duties mitigates T1072 Software Deployment Tools
AC-06 Least Privilege mitigates T1072 Software Deployment Tools
SC-07 Boundary Protection mitigates T1072 Software Deployment Tools

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1072 Software Deployment Tools
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.variety.Export data Export data to another site or system related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
attribute.integrity.variety.Software installation Software installation or code modification related-to T1072 Software Deployment Tools

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
artifact_analysis Artifact Analysis technique_scores T1072 Software Deployment Tools
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and container images.
References
google_secops Google Security Operations technique_scores T1072 Software Deployment Tools
Comments
Google Security Ops is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool. Note: This rule requires installation of auditbeat on the host machine to properly function. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral
References
vm_manager VM Manager technique_scores T1072 Software Deployment Tools
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1072 Software Deployment Tools
Comments
VPC security groups and network access control lists (NACLs) can be used to limit access to critical network systems such as software deployment tools.
References