Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).
Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| network_security_groups | Network Security Groups | technique_scores | T1072 | Software Deployment Tools |
Comments
This control can be used to limit access to critical network systems such as software deployment tools.
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1072 | Software Deployment Tools |
Comments
This control provides partial coverage of attacks that leverage software flaws in unpatched deployment tools since it enables automated updates of software and rapid configuration change management.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1072 | Software Deployment Tools |
Comments
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
References
|