Description
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)
Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.
Platforms
Mitigations (10)
User Account ManagementM1018
Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is n
Active Directory ConfigurationM1015
Ensure proper system and access isolation for critical network systems through use of group policy.
Update SoftwareM1051
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.
Privileged Account ManagementM1026
Grant access to application deployment systems only to a limited number of authorized administrators.
Password PoliciesM1027
Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.
Limit Software InstallationM1033
Restrict the use of third-party software suites installed within an enterprise network.
Network SegmentationM1030
Ensure proper system isolation for critical network systems through use of firewalls.
User TrainingM1017
Have a strict approval policy for use of deployment systems.
Multi-factor AuthenticationM1032
Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.
Remote Data StorageM1029
If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) compromised McAfee ePO to move laterally by distributing malware as a software deployment task.(Citatio... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used the commercially available tool RemoteExec for agentless remote code execution.(Citati... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App De... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged legitimate built-in features of cloud-based management platforms to include mobi... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used RAdmin, a remote software tool used to remotely control workstations and ATMs.(Citation: Gro... |
| G0028 | Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors used a victim's endpoint management platform, Altiris, for lateral movement.(Citatio... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized software deployment and management solutions to deploy their encryption payload to ... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0041 | Wiper | Malware | It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the [Wiper]... |
References
- ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.
- Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.
- Ariel Szarf, Or Aspir. (n.d.). Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan. Retrieved January 31, 2024.
Frequently Asked Questions
What is T1072 (Software Deployment Tools)?
T1072 is a MITRE ATT&CK technique named 'Software Deployment Tools'. It belongs to the Execution, Lateral Movement tactic(s). Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software depl...
How can T1072 be detected?
Detection of T1072 (Software Deployment Tools) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1072?
There are 10 documented mitigations for T1072. Key mitigations include: User Account Management, Active Directory Configuration, Update Software, Privileged Account Management, Password Policies.
Which threat groups use T1072?
Known threat groups using T1072 include: APT32, Sandworm Team, Mustang Panda, VOID MANTICORE, Silence, Threat Group-1314, Medusa Group.