1. Home
  2. ATT&CK Techniques
  3. T1072 Software Deployment Tools

T1072 Software Deployment Tools Mappings

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-12 Session Termination Protects T1072 Software Deployment Tools
AC-2 Account Management Protects T1072 Software Deployment Tools
AC-20 Use of External Systems Protects T1072 Software Deployment Tools
AC-3 Access Enforcement Protects T1072 Software Deployment Tools
AC-4 Information Flow Enforcement Protects T1072 Software Deployment Tools
AC-5 Separation of Duties Protects T1072 Software Deployment Tools
AC-6 Least Privilege Protects T1072 Software Deployment Tools
CA-7 Continuous Monitoring Protects T1072 Software Deployment Tools
CM-2 Baseline Configuration Protects T1072 Software Deployment Tools
CM-5 Access Restrictions for Change Protects T1072 Software Deployment Tools
CM-6 Configuration Settings Protects T1072 Software Deployment Tools
CM-7 Least Functionality Protects T1072 Software Deployment Tools
CM-8 System Component Inventory Protects T1072 Software Deployment Tools
IA-2 Identification and Authentication (organizational Users) Protects T1072 Software Deployment Tools
IA-5 Authenticator Management Protects T1072 Software Deployment Tools
SC-12 Cryptographic Key Establishment and Management Protects T1072 Software Deployment Tools
SC-17 Public Key Infrastructure Certificates Protects T1072 Software Deployment Tools
SC-46 Cross Domain Policy Enforcement Protects T1072 Software Deployment Tools
SC-7 Boundary Protection Protects T1072 Software Deployment Tools
SI-2 Flaw Remediation Protects T1072 Software Deployment Tools
SI-23 Information Fragmentation Protects T1072 Software Deployment Tools
SI-3 Malicious Code Protection Protects T1072 Software Deployment Tools
SI-4 System Monitoring Protects T1072 Software Deployment Tools
SI-7 Software, Firmware, and Information Integrity Protects T1072 Software Deployment Tools
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1072 Software Deployment Tools
action.malware.variety.Adminware System or network utilities (e.g., PsTools, Netcat) related-to T1072 Software Deployment Tools
action.malware.vector.Software update Included in automated software update related-to T1072 Software Deployment Tools
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1072 Software Deployment Tools
Comments
VPC security groups and network access control lists (NACLs) can be used to limit access to critical network systems such as software deployment tools.
References
  1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html