Register to stream ATT&CKcon 2.0 October 29-30

Application Deployment Software

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.

Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

ID: T1017
Tactic: Lateral Movement
Platform: Linux, macOS, Windows
System Requirements: Access to application deployment software (EPO, HPCA, Altiris, etc.)
Data Sources: File monitoring, Process use of network, Process monitoring
CAPEC ID: CAPEC-187
Version: 1.0

Procedure Examples

Name Description
APT32 APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task. [1]

Mitigations

Mitigation Description
Code Signing If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
Multi-factor Authentication Use multi-factor authentication for accounts used with application deployment software.
Network Segmentation Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication.
Privileged Account Management Grant access to application deployment systems only to a limited number of authorized administrators. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.
Update Software Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.

Detection

Monitor application deployments from a secondary system. Perform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.

References