Esc
Software Deployment Tools - T1072
(ATT&CK® Technique)
Definition
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1072["Software Deployment Tools"] --> |installs| Software["Software"]; class T1072 OffensiveTechniqueNode;
class Software ArtifactNode; click Software href "/dao/artifact/d3f:Software";
click T1072 href "/offensive-technique/attack/T1072/"; click Software href "/dao/artifact/d3f:Software"; T1072["Software Deployment Tools"] --> |adds| File["File"]; class T1072 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1072 href "/offensive-technique/attack/T1072/"; click File href "/dao/artifact/d3f:File"; T1072["Software Deployment Tools"] --> |executes| SoftwareDeploymentTool["Software Deployment Tool"]; class T1072 OffensiveTechniqueNode;
class SoftwareDeploymentTool ArtifactNode; click SoftwareDeploymentTool href "/dao/artifact/d3f:SoftwareDeploymentTool";
click T1072 href "/offensive-technique/attack/T1072/"; click SoftwareDeploymentTool href "/dao/artifact/d3f:SoftwareDeploymentTool"; SoftwareUpdate["Software Update"] -->
| updates | SoftwareDeploymentTool["Software Deployment Tool"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1072["Software Deployment Tools"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class SoftwareDeploymentTool ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | Software["Software"];
class SoftwareUpdate DefensiveTechniqueNode;
class Software ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1072["Software Deployment Tools"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1072["Software Deployment Tools"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1072["Software Deployment Tools"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1072["Software Deployment Tools"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1072["Software Deployment Tools"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreSoftware["Restore Software"] -->
| restores | Software["Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1072["Software Deployment Tools"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Software ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | SoftwareDeploymentTool["Software Deployment Tool"];
class RestoreSoftware DefensiveTechniqueNode;
class SoftwareDeploymentTool ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1072["Software Deployment Tools"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | SoftwareDeploymentTool["Software Deployment Tool"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1072["Software Deployment Tools"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class SoftwareDeploymentTool ArtifactNode;
click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1072["Software Deployment Tools"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1072["Software Deployment Tools"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";