Skip to content

DET0223 Detection of Adversary Abuse of Software Deployment Tools

Item Value
ID DET0223
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1072 (Software Deployment Tools)

Analytics

Windows

AN0623

Detects SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles (e.g., cmtrace.exe launching PowerShell or cmd.exe).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Application Log Content (DC0038) WinEventLog:Application SCCM, Intune logs
Mutable Elements
Field Description
ParentImageList Allowlist of known SCCM-related binary spawners (e.g., ‘CCMExec.exe’)
UserContext Expected deployment activity from scheduled system accounts
TimeWindow Unusual deployment timing outside standard maintenance hours

Linux

AN0624

Detects remote scripts or binaries deployed via Puppet, Chef, Ansible, or shell scripts from orchestration servers executing outside maintenance windows or in unmanaged nodes.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
DeployingHostAllowList Approved orchestration or jump box IPs
ScriptExecutionBaseline Expected scripts, interpreters, or package managers used

macOS

AN0625

Detects script or binary execution initiated via JAMF, Munki, or custom MDM agents outside of baseline, or JAMF launching new Terminal or osascript processes from remote command payloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process and signing chain events
Application Log Content (DC0038) macos:jamf RemoteCommandExecution
Mutable Elements
Field Description
SigningAuthorityList Expected signing authorities for JAMF and MDM scripts
RemoteCommandInterval Frequency of remote execution from MDM servers

SaaS

AN0626

Detects cloud-native software deployment or management (e.g., SSM Run Command, Intune) initiating script execution on endpoints outside expected org IDs, admin groups, or maintenance windows.

Log Sources
Data Component Name Channel
Command Execution (DC0064) AWS:CloudTrail SSM RunCommand
Mutable Elements
Field Description
IAMRoleAllowList Approved deployment administrators or service accounts
ExecutionTargetList Expected endpoints targeted by SaaS deployments

Network Devices

AN0627

Detects central router or switch config management tools (e.g., FortiManager, Cisco Prime) triggering device reboots or config pushes using abnormal accounts or IPs.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) networkdevice:syslog config push events
Network Traffic Flow (DC0078) NSM:Flow Device-to-Device Deployment Flows
Mutable Elements
Field Description
PushSourceAllowList Devices or IPs allowed to push firmware or scripts
AuthUserPattern Expected CLI or API user performing configuration