Software Deployment Tools

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. [1]

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

ID: T1072
Sub-techniques:  No sub-techniques
Platforms: Linux, Network, Windows, macOS
Supports Remote:  Yes
Contributors: Joe Gumke, U.S. Bank; Shane Tully, @securitygypsy
Version: 2.2
Created: 31 May 2017
Last Modified: 27 September 2023

Procedure Examples

ID Name Description
G0050 APT32

APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.[2]

C0018 C0018

During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.[3]

G0034 Sandworm Team

Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.[4]

G0091 Silence

Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.[5]

G0028 Threat Group-1314

Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[6]

S0041 Wiper

It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware.[7]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Ensure proper system and access isolation for critical network systems through use of group policy.

M1033 Limit Software Installation

Restrict the use of third-party software suites installed within an enterprise network.

M1032 Multi-factor Authentication

Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.

M1030 Network Segmentation

Ensure proper system isolation for critical network systems through use of firewalls.

M1027 Password Policies

Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.

M1026 Privileged Account Management

Grant access to application deployment systems only to a limited number of authorized administrators.

M1029 Remote Data Storage

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

M1051 Update Software

Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.

M1018 User Account Management

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

M1017 User Training

Have a strict approval policy for use of deployment systems.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out.

DS0009 Process Process Creation

Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems.

References