Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-14 | Strong Authentication | mitigates | T1072 | Software Deployment Tools |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-06 | User Access Provisioning | mitigates | T1072 | Software Deployment Tools |
Comments
This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1072 | Software Deployment Tools |
Comments
This control provides for appropriately segmented and segregated cloud environments. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.
References
|
| I&S-09 | Network Defense | mitigates | T1072 | Software Deployment Tools |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Isolation of critical network systems through use of cloud-based segmentation, virtual private cloud (VPC) security groups, network access control lists (NACLs), and firewalls can mitigate abuse of centralized software suites.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1072 | Software Deployment Tools |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| IAM-05 | Least Privilege | mitigates | T1072 | Software Deployment Tools |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. In terms of mitigation, ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1072 | Software Deployment Tools |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands, such as replicating production data in non-production environments.
In terms of mitigation, granting access to application deployment systems only to a limited number of authorized administrators to limit the ability to replicate data across production and non-production environments. Also, verifying that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network can limit the abuse of this technique to replicate production data in non-production environments.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1072 | Software Deployment Tools |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may gain access to and use configuration management and software deployment applications to execute commands and move laterally through the network. Security requirements for secure application deployment such as only granting access to application deployment systems only to authorized users and administrators, or ensuring the application deployment system can be configured to deploy only signed binaries can mitigate the adversary's abuse of this technique to execute commands and move laterally through the network.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1072 | Software Deployment Tools |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Ensuing proper system and access control isolation for cloud applications through use of group policy may aid in mitigating this technique.
References
|