T1072 Software Deployment Tools
Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).
Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it’s intended purpose.
| Item | Value |
|---|---|
| ID | T1072 |
| Sub-techniques | |
| Tactics | TA0002, TA0008 |
| Platforms | Linux, Windows, macOS |
| Permissions required | Administrator, SYSTEM, User |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 | APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.2 |
| C0018 | C0018 | During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.6 |
| G0034 | Sandworm Team | Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.3 |
| G0091 | Silence | Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.4 |
| G0028 | Threat Group-1314 | Threat Group-1314 actors used a victim’s endpoint management platform, Altiris, for lateral movement.5 |
| S0041 | Wiper | It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration | Ensure proper system and access isolation for critical network systems through use of group policy. |
| M1032 | Multi-factor Authentication | Ensure proper system and access isolation for critical network systems through use of multi-factor authentication. |
| M1030 | Network Segmentation | Ensure proper system isolation for critical network systems through use of firewalls. |
| M1027 | Password Policies | Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. |
| M1026 | Privileged Account Management | Grant access to application deployment systems only to a limited number of authorized administrators. |
| M1029 | Remote Data Storage | If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled. |
| M1051 | Update Software | Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
| M1018 | User Account Management | Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation. |
| M1017 | User Training | Have a strict approval policy for use of deployment systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0009 | Process | Process Creation |
References
-
Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015. ↩
-
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. ↩
-
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. ↩
-
Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. ↩
-
Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. ↩
-
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. ↩