T1072: Software Deployment Tools

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Access to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

SaaS-based configuration management services may allow for broad Cloud Administration Command on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD. Such services may also utilize Web Protocols to communicate back to adversary owned infrastructure.

Network infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

process_chains_and_logons: PT-CR-947: Suspicious_Kaspersky_Agent_Process_Chain: Suspicious process start chain for the Kaspersky Anti-Virus agent klnagent process_chains_and_logons: PT-CR-1214: Suspicious_SCCM_Agent_Process_Chain: Suspicious process start chain for SCCM agent ccmexec.exe kaspersky: PT-CR-1837: Kaspersky_Install_Malicious_App: A suspicious application is installed from Kaspersky Security Center kaspersky: PT-CR-1836: Subrule_Kaspersky_Run_Task_Install_App: A task is run and an application is installed from Kaspersky Security Center kaspersky: PT-CR-1835: Subrule_Kaspersky_Create_Package_And_Task: An installation package and task are created in Kaspersky Security Center kaspersky: PT-CR-806: Kaspersky_Installation_Package_Modification: A user changed an installation package microsoft_mecm: PT-CR-1879: MECM_Created_Modified_Program: Creating a new program or changing an existing one in MECM microsoft_mecm: PT-CR-1881: MECM_Created_Modified_Package: Creating a new package or changing an existing one in MECM microsoft_mecm: PT-CR-1869: MECM_Deploy_Application: Deploying an application in the MECM infrastructure microsoft_mecm: PT-CR-1868: MECM_Create_modified_scripts: Creating a new script or changing an existing one in MECM microsoft_mecm: PT-CR-1872: MECM_Run_Script: Running a script in the MECM infrastructure microsoft_mecm: PT-CR-1870: MECM_Deploy_Program: Deploying a program in the MECM infrastructure microsoft_mecm: PT-CR-1880: MECM_ConfigurationItem: Applying a new configuration to MECM infrastructure hosts zabbix: PT-CR-808: Zabbix_Script_Executing: An attempt to execute a script in Zabbix. This may indicate lateral movement in the network. drweb: PT-CR-2068: DrWeb_Installation_Package_Modification: The component set to be installed on stations is changed. An attacker can restart the client to delete a component. This can relax station protection vmware_aria: PT-CR-2372: AOFL_Possible_Upgrade_Via_Malicious_Pak: Possible exploitation of vulnerabilities CVE-2023-34051, CVE-2022-31706, and CVE-2022-31704. This allows an attacker to execute an arbitrary code on a host. The attack consists of several steps: bypassing authentication, uploading a malicious PAK file using REMOTE_PAK_DOWNLOAD_COMMAND, and launching an update using PAK_UPGRADE_COMMAND saltstack: PT-CR-2315: SaltStack_Exec_Cmd: A Salt command was executed

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage. Perform application deployment at regular times so that irregular deployment activity stands out.

Mitigation

IDM1015NameActive Directory ConfigurationDescription

Ensure proper system and access isolation for critical network systems through use of group policy.

IDM1017NameUser TrainingDescription

Have a strict approval policy for use of deployment systems.

IDM1018NameUser Account ManagementDescription

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

IDM1026NamePrivileged Account ManagementDescription

Grant access to application deployment systems only to a limited number of authorized administrators.

IDM1027NamePassword PoliciesDescription

Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.

IDM1029NameRemote Data StorageDescription

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

IDM1030NameNetwork SegmentationDescription

Ensure proper system isolation for critical network systems through use of firewalls.

IDM1032NameMulti-factor AuthenticationDescription

Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.

IDM1033NameLimit Software InstallationDescription

Restrict the use of third-party software suites installed within an enterprise network.

IDM1051NameUpdate SoftwareDescription

Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.