The sub-techniques beta is now live! Read the release blog post for more info.

Application Deployment Software

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.

Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

ID: T1017
Tactic: Lateral Movement
Platform: Linux, macOS, Windows
System Requirements: Access to application deployment software (EPO, HPCA, Altiris, etc.)
Data Sources: File monitoring, Process use of network, Process monitoring
Version: 1.0
Created: 31 May 2017
Last Modified: 16 July 2019

Procedure Examples

Name Description

APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[1]


Mitigation Description
Code Signing

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

Multi-factor Authentication

Use multi-factor authentication for accounts used with application deployment software.

Network Segmentation

Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication.

Privileged Account Management

Grant access to application deployment systems only to a limited number of authorized administrators. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.

Update Software

Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.


Monitor application deployments from a secondary system. Perform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.