T1072

Software Deployment Tools

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

Microsoft Sentinel / Defender

kusto

let DeploymentAgents = dynamic([
    "ccmexec.exe",
    "ccmsetup.exe",
    "besclient.exe",
    "besservice.exe",
    "PDQDeployRunner.exe",
    "PDQDeploy.exe",
    "AeXNSAgent.exe",
    "AeXSWDSvc.exe",
    "IntuneManagementExtension.exe",
    "amazon-ssm-agent.exe",
    "RemoteExec.exe",
    "radmin.exe",
    "r_server.exe"
]);
let SuspiciousChildren = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "net.exe", "net1.exe", "sc.exe", "schtasks.exe",
    "reg.exe", "whoami.exe", "nltest.exe", "at.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (DeploymentAgents)
| where FileName has_any (SuspiciousChildren)
| extend CredentialAccess = ProcessCommandLine has_any ("lsass", "procdump", "mimikatz", "sekurlsa", "comsvcs", "ntds.dit", "MiniDump")
| extend LateralMovement = ProcessCommandLine has_any ("psexec", "wmic /node", "net use", "xcopy", "robocopy", "Enter-PSSession")
| extend PersistenceAttempt = ProcessCommandLine has_any ("schtasks /create", "sc create", "reg add", "localgroup administrators", "CurrentVersion\\Run", "startup")
| extend DownloadAttempt = ProcessCommandLine has_any ("downloadstring", "downloadfile", "invoke-webrequest", "iwr ", "certutil -urlcache", "bitsadmin /transfer", "net.webclient", "Start-BitsTransfer")
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ", "-ec ")
| extend ReconActivity = ProcessCommandLine has_any ("whoami", "net user", "net group", "nltest", "ipconfig", "systeminfo", "netstat", "tasklist", "net localgroup")
| extend HiddenExec = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-nop ", "-noni ")
| where CredentialAccess or LateralMovement or PersistenceAttempt or DownloadAttempt or EncodedCmd or (ReconActivity and HiddenExec)
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName,
          CredentialAccess, LateralMovement, PersistenceAttempt,
          DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

SCCM/ConfigMgr routinely spawns PowerShell and cmd.exe to execute legitimate software deployment scripts, patch management, and compliance remediation — build an allowlist of authorized script names and package GUIDs from InitiatingProcessCommandLine
BigFix (HCL) and PDQ Deploy are frequently used for IT administration tasks including software installs, configuration changes, and script execution that legitimately trigger this detection during patch cycles
Intune Management Extension (IntuneManagementExtension.exe) executes PowerShell scripts deployed by administrators for device configuration, security baseline enforcement, and application installation
AWS Systems Manager Run Command legitimately executes shell commands on EC2 instances for patch management, inventory collection, and operational runbooks — tune by allowlisting known SSM document names
Automated patch management tools may use certutil or bitsadmin for downloading and verifying update packages from vendor CDNs
Monitoring and inventory agents (SCCM hardware inventory, BigFix relevance queries) run net.exe and systeminfo.exe on a schedule to collect asset data

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (ParentImage="*\\ccmexec.exe" OR ParentImage="*\\ccmsetup.exe"
     OR ParentImage="*\\besclient.exe" OR ParentImage="*\\besservice.exe"
     OR ParentImage="*\\PDQDeployRunner.exe" OR ParentImage="*\\PDQDeploy.exe"
     OR ParentImage="*\\AeXNSAgent.exe" OR ParentImage="*\\AeXSWDSvc.exe"
     OR ParentImage="*\\IntuneManagementExtension.exe"
     OR ParentImage="*\\amazon-ssm-agent.exe"
     OR ParentImage="*\\RemoteExec.exe"
     OR ParentImage="*\\radmin.exe" OR ParentImage="*\\r_server.exe")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
     OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\rundll32.exe"
     OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe"
     OR Image="*\\net1.exe" OR Image="*\\whoami.exe" OR Image="*\\nltest.exe"
     OR Image="*\\schtasks.exe" OR Image="*\\sc.exe" OR Image="*\\reg.exe")
| eval cmd=lower(CommandLine)
| eval CredentialAccess=if(match(cmd, "(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump)"), 1, 0)
| eval LateralMovement=if(match(cmd, "(psexec|wmic\s+/node|net\s+use|xcopy|robocopy|enter-pssession)"), 1, 0)
| eval PersistenceAttempt=if(match(cmd, "(schtasks\s+/create|sc\s+create|reg\s+add.*(run|startup)|localgroup.*administrator)"), 1, 0)
| eval DownloadAttempt=if(match(cmd, "(downloadstring|downloadfile|invoke-webrequest|iwr\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)"), 1, 0)
| eval EncodedCmd=if(match(cmd, "(-encodedcommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval ReconActivity=if(match(cmd, "(whoami|net\s+user|net\s+group|nltest|ipconfig|systeminfo|netstat|tasklist|net\s+localgroup)"), 1, 0)
| eval HiddenExec=if(match(cmd, "(-windowstyle\s+hidden|-w\s+hidden|-nop\s|-noni\s)"), 1, 0)
| eval RiskScore=CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + (ReconActivity * HiddenExec)*3 + ReconActivity*1
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

SCCM deployment scripts legitimately spawn PowerShell and cmd.exe — tune by allowlisting known-good ParentCommandLine patterns associated with authorized package GUIDs
BigFix and PDQ Deploy administrative tasks frequently trigger this detection during patch cycles; suppress during scheduled maintenance windows using a lookup table of authorized job IDs
Intune PowerShell scripts deployed by administrators appear as IntuneManagementExtension.exe spawning PowerShell with -ExecutionPolicy Bypass, which is a built-in Intune behavior
AWS SSM Run Command on Windows EC2 instances appears as amazon-ssm-agent.exe spawning cmd.exe or PowerShell for authorized runbook execution
Automated patch management tools use certutil and bitsadmin for update package verification, triggering DownloadAttempt flags on patch Tuesdays
Inventory scans using net.exe commands trigger ReconActivity — correlate against scheduled maintenance windows and approved scan job timers

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.parent.name in~ (
    "ccmexec.exe", "ccmsetup.exe", "besclient.exe", "besservice.exe",
    "pdqdeployrunner.exe", "pdqdeploy.exe", "aexnsagent.exe", "aexswdsvc.exe",
    "intunemanagementextension.exe", "amazon-ssm-agent.exe",
    "remoteexec.exe", "radmin.exe", "r_server.exe"
  )
  and process.name in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "net.exe", "net1.exe", "sc.exe", "schtasks.exe",
    "reg.exe", "whoami.exe", "nltest.exe", "at.exe"
  )
  and (
    process.command_line like~ ("*lsass*", "*procdump*", "*mimikatz*", "*sekurlsa*", "*comsvcs*", "*ntds.dit*", "*minidump*")
    or process.command_line like~ ("*psexec*", "*wmic /node*", "*net use *", "*xcopy*", "*robocopy*", "*enter-pssession*")
    or process.command_line like~ ("*schtasks /create*", "*sc create*", "*reg add*", "*localgroup administrators*", "*CurrentVersion\\Run*")
    or process.command_line like~ ("*downloadstring*", "*downloadfile*", "*invoke-webrequest*", "*iwr *", "*certutil -urlcache*", "*bitsadmin /transfer*", "*net.webclient*", "*start-bitstransfer*")
    or process.command_line like~ ("*-encodedcommand*", "*-enc *", "*-ec *")
    or (
      process.command_line like~ ("*whoami*", "*net user*", "*net group*", "*nltest*", "*ipconfig*", "*systeminfo*", "*netstat*", "*tasklist*")
      and process.command_line like~ ("*-windowstyle hidden*", "*-w hidden*", "*-nop *", "*-noni *")
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (process telemetry) Windows Sysmon via Elastic Agent or Winlogbeat Auditbeat (Linux, if deployment agents run cross-platform)

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-system.security-*

False Positives

SCCM or Intune software deployment tasks that legitimately invoke PowerShell with -EncodedCommand to handle complex multi-line scripts packaged for transport in MDM payloads
BigFix fixlets running net.exe, sc.exe, or reg.exe to enforce OS baseline configuration (service hardening, local group membership, registry policy) as part of scheduled remediation
PDQ Deploy jobs that use certutil.exe or bitsadmin.exe to fetch installation packages from internal distribution servers during authorized software rollouts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "User",
  "Process Image" AS "Child Process",
  "Parent Image" AS "Parent Process",
  "CommandLine" AS "Command Line",
  "Parent CommandLine" AS "Parent Command Line",
  CASE WHEN LOWER("CommandLine") LIKE '%lsass%'
            OR LOWER("CommandLine") LIKE '%procdump%'
            OR LOWER("CommandLine") LIKE '%mimikatz%'
            OR LOWER("CommandLine") LIKE '%sekurlsa%'
            OR LOWER("CommandLine") LIKE '%comsvcs%'
            OR LOWER("CommandLine") LIKE '%ntds.dit%'
            OR LOWER("CommandLine") LIKE '%minidump%'
       THEN 'YES' ELSE 'NO' END AS "CredentialAccess",
  CASE WHEN LOWER("CommandLine") LIKE '%psexec%'
            OR LOWER("CommandLine") LIKE '%wmic /node%'
            OR LOWER("CommandLine") LIKE '%net use %'
            OR LOWER("CommandLine") LIKE '%xcopy%'
            OR LOWER("CommandLine") LIKE '%robocopy%'
            OR LOWER("CommandLine") LIKE '%enter-pssession%'
       THEN 'YES' ELSE 'NO' END AS "LateralMovement",
  CASE WHEN LOWER("CommandLine") LIKE '%schtasks /create%'
            OR LOWER("CommandLine") LIKE '%sc create%'
            OR LOWER("CommandLine") LIKE '%reg add%'
            OR LOWER("CommandLine") LIKE '%localgroup%administrator%'
            OR LOWER("CommandLine") LIKE '%currentversion%run%'
       THEN 'YES' ELSE 'NO' END AS "PersistenceAttempt",
  CASE WHEN LOWER("CommandLine") LIKE '%downloadstring%'
            OR LOWER("CommandLine") LIKE '%downloadfile%'
            OR LOWER("CommandLine") LIKE '%invoke-webrequest%'
            OR LOWER("CommandLine") LIKE '%certutil -urlcache%'
            OR LOWER("CommandLine") LIKE '%bitsadmin /transfer%'
            OR LOWER("CommandLine") LIKE '%net.webclient%'
            OR LOWER("CommandLine") LIKE '%start-bitstransfer%'
       THEN 'YES' ELSE 'NO' END AS "DownloadAttempt",
  CASE WHEN LOWER("CommandLine") LIKE '%-encodedcommand%'
            OR LOWER("CommandLine") LIKE '%-enc %'
            OR LOWER("CommandLine") LIKE '%-ec %'
       THEN 'YES' ELSE 'NO' END AS "EncodedCmd"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%Process Create%'
  AND LAST 1 DAYS
  AND (
    "Parent Image" ILIKE '%\\ccmexec.exe'
    OR "Parent Image" ILIKE '%\\ccmsetup.exe'
    OR "Parent Image" ILIKE '%\\besclient.exe'
    OR "Parent Image" ILIKE '%\\besservice.exe'
    OR "Parent Image" ILIKE '%\\PDQDeployRunner.exe'
    OR "Parent Image" ILIKE '%\\PDQDeploy.exe'
    OR "Parent Image" ILIKE '%\\AeXNSAgent.exe'
    OR "Parent Image" ILIKE '%\\AeXSWDSvc.exe'
    OR "Parent Image" ILIKE '%\\IntuneManagementExtension.exe'
    OR "Parent Image" ILIKE '%\\amazon-ssm-agent.exe'
    OR "Parent Image" ILIKE '%\\RemoteExec.exe'
    OR "Parent Image" ILIKE '%\\radmin.exe'
    OR "Parent Image" ILIKE '%\\r_server.exe'
  )
  AND (
    "Process Image" ILIKE '%\\cmd.exe'
    OR "Process Image" ILIKE '%\\powershell.exe'
    OR "Process Image" ILIKE '%\\pwsh.exe'
    OR "Process Image" ILIKE '%\\wscript.exe'
    OR "Process Image" ILIKE '%\\cscript.exe'
    OR "Process Image" ILIKE '%\\mshta.exe'
    OR "Process Image" ILIKE '%\\certutil.exe'
    OR "Process Image" ILIKE '%\\bitsadmin.exe'
    OR "Process Image" ILIKE '%\\rundll32.exe'
    OR "Process Image" ILIKE '%\\regsvr32.exe'
    OR "Process Image" ILIKE '%\\wmic.exe'
    OR "Process Image" ILIKE '%\\net.exe'
    OR "Process Image" ILIKE '%\\net1.exe'
    OR "Process Image" ILIKE '%\\whoami.exe'
    OR "Process Image" ILIKE '%\\nltest.exe'
    OR "Process Image" ILIKE '%\\schtasks.exe'
    OR "Process Image" ILIKE '%\\sc.exe'
    OR "Process Image" ILIKE '%\\reg.exe'
  )
  AND (
    LOWER("CommandLine") LIKE '%lsass%'
    OR LOWER("CommandLine") LIKE '%procdump%'
    OR LOWER("CommandLine") LIKE '%mimikatz%'
    OR LOWER("CommandLine") LIKE '%sekurlsa%'
    OR LOWER("CommandLine") LIKE '%comsvcs%'
    OR LOWER("CommandLine") LIKE '%ntds.dit%'
    OR LOWER("CommandLine") LIKE '%psexec%'
    OR LOWER("CommandLine") LIKE '%wmic /node%'
    OR LOWER("CommandLine") LIKE '%schtasks /create%'
    OR LOWER("CommandLine") LIKE '%sc create%'
    OR LOWER("CommandLine") LIKE '%reg add%'
    OR LOWER("CommandLine") LIKE '%downloadstring%'
    OR LOWER("CommandLine") LIKE '%invoke-webrequest%'
    OR LOWER("CommandLine") LIKE '%certutil -urlcache%'
    OR LOWER("CommandLine") LIKE '%bitsadmin /transfer%'
    OR LOWER("CommandLine") LIKE '%net.webclient%'
    OR LOWER("CommandLine") LIKE '%-encodedcommand%'
    OR LOWER("CommandLine") LIKE '%-enc %'
    OR LOWER("CommandLine") LIKE '%-ec %'
    OR (LOWER("CommandLine") LIKE '%whoami%' AND LOWER("CommandLine") LIKE '%-nop %')
    OR (LOWER("CommandLine") LIKE '%systeminfo%' AND LOWER("CommandLine") LIKE '%-windowstyle hidden%')
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon DSM (QRadar) Windows Security Event Log DSM (QRadar)

Required Tables

events

False Positives

SCCM task sequences that invoke PowerShell with -EncodedCommand or -enc for deploying complex application scripts, which triggers the EncodedCmd indicator with no malicious intent
BigFix actions using net.exe or sc.exe to enforce OS baseline policies such as disabling services or managing local administrator group membership during scheduled fixlet runs
PDQ Deploy packages that download installation files via bitsadmin or certutil from internal WSUS or software distribution servers as part of authorized enterprise deployments

Sumo Logic CSE

sql

_sourceCategory=*/windows/sysmon (EventCode=1 OR EventID=1)
| parse regex "(?i)<Data Name='ParentImage'>(?P<ParentImage>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='Image'>(?P<Image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='CommandLine'>(?P<CommandLine>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='ParentCommandLine'>(?P<ParentCommandLine>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?P<User>[^<]+)</Data>" nodrop
| where ParentImage =~ "(?i).*(ccmexec|ccmsetup|besclient|besservice|PDQDeployRunner|PDQDeploy|AeXNSAgent|AeXSWDSvc|IntuneManagementExtension|amazon-ssm-agent|RemoteExec|radmin|r_server)\\.exe$"
| where Image =~ "(?i).*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|net|net1|sc|schtasks|reg|whoami|nltest|at)\\.exe$"
| toLowerCase(CommandLine) as cmd
| if(cmd =~ ".*(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\\.dit|minidump).*", 1, 0) as CredentialAccess
| if(cmd =~ ".*(psexec|wmic /node|net use |xcopy|robocopy|enter-pssession).*", 1, 0) as LateralMovement
| if(cmd =~ ".*(schtasks /create|sc create|reg add|localgroup.*administrator|currentversion.run).*", 1, 0) as PersistenceAttempt
| if(cmd =~ ".*(downloadstring|downloadfile|invoke-webrequest|iwr |certutil.*urlcache|bitsadmin.*transfer|net\\.webclient|start-bitstransfer).*", 1, 0) as DownloadAttempt
| if(cmd =~ ".*(-encodedcommand|-enc |-e |-ec ).*", 1, 0) as EncodedCmd
| if(cmd =~ ".*(whoami|net user|net group|nltest|ipconfig|systeminfo|netstat|tasklist).*", 1, 0) as ReconActivity
| if(cmd =~ ".*(-windowstyle hidden|-w hidden|-nop |-noni ).*", 1, 0) as HiddenExec
| (CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + ReconActivity*HiddenExec*3 + ReconActivity) as RiskScore
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore
| sort by RiskScore, _messageTime

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Sysmon Operational log) Sumo Logic Cloud SIEM Enterprise (normalized process events) Sumo Logic OpenTelemetry Collector (hostmetrics + windows events)

Required Tables

_sourceCategory=*/windows/sysmon

False Positives

Intune Management Extension running PowerShell scripts signed and encoded in base64 for Win32 application deployment packages submitted through Endpoint Manager
AWS SSM Run Command documents executing shell commands for fleet-wide instance configuration, patching workflows, or compliance baseline enforcement via ssm-agent
SCCM software center deployments invoking net.exe or sc.exe to configure service accounts, prerequisites, or local group memberships as part of approved application installation sequences

Google Chronicle / SecOps

yaral

rule t1072_deployment_tool_suspicious_child_process {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious LOLBin or interpreter processes spawned by software deployment agents, indicating T1072 abuse for execution or lateral movement"
    mitre_attack_tactic = "Lateral Movement, Execution"
    mitre_attack_technique = "T1072"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(ccmexec\.exe|ccmsetup\.exe|besclient\.exe|besservice\.exe|PDQDeployRunner\.exe|PDQDeploy\.exe|AeXNSAgent\.exe|AeXSWDSvc\.exe|IntuneManagementExtension\.exe|amazon-ssm-agent\.exe|RemoteExec\.exe|radmin\.exe|r_server\.exe)$`)
    re.regex($e.target.process.file.full_path,
      `(?i)(\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\regsvr32\.exe|\\rundll32\.exe|\\certutil\.exe|\\bitsadmin\.exe|\\wmic\.exe|\\net\.exe|\\net1\.exe|\\sc\.exe|\\schtasks\.exe|\\reg\.exe|\\whoami\.exe|\\nltest\.exe|\\at\.exe)$`)
    (
      re.regex($e.target.process.command_line,
        `(?i)(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump|psexec|wmic\s+/node|net\s+use\s|xcopy|robocopy|enter-pssession)`) or
      re.regex($e.target.process.command_line,
        `(?i)(schtasks\s+/create|sc\s+create|reg\s+add|localgroup.*administrator|currentversion.run)`) or
      re.regex($e.target.process.command_line,
        `(?i)(downloadstring|downloadfile|invoke-webrequest|iwr\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)`) or
      re.regex($e.target.process.command_line,
        `(?i)(-encodedcommand|-enc\s|-ec\s)`) or
      (
        re.regex($e.target.process.command_line,
          `(?i)(whoami|net\s+user|net\s+group|nltest|ipconfig|systeminfo|netstat|tasklist)`) and
        re.regex($e.target.process.command_line,
          `(?i)(-windowstyle\s+hidden|-w\s+hidden|-nop\s|-noni\s)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder collecting Windows Sysmon events Chronicle UDM normalized process telemetry from EDR integrations

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Legitimate SCCM task sequences deploying software that calls PowerShell with base64-encoded scripts, triggering the -encodedcommand or -enc regex branches
Intune Management Extension running Win32 app install scripts that call net.exe or reg.exe to configure application prerequisites on managed endpoints
PDQ Deploy tasks that invoke whoami.exe or systeminfo.exe within silent PowerShell wrappers for pre-installation compatibility checking, matching the ReconActivity and HiddenExec combination

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| regex("(?i)(ccmexec\.exe|ccmsetup\.exe|besclient\.exe|besservice\.exe|PDQDeployRunner\.exe|PDQDeploy\.exe|AeXNSAgent\.exe|AeXSWDSvc\.exe|IntuneManagementExtension\.exe|amazon-ssm-agent\.exe|RemoteExec\.exe|radmin\.exe|r_server\.exe)$", field=ParentBaseFileName)
| regex("(?i)(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\regsvr32\.exe|\\\\rundll32\.exe|\\\\certutil\.exe|\\\\bitsadmin\.exe|\\\\wmic\.exe|\\\\net\.exe|\\\\net1\.exe|\\\\sc\.exe|\\\\schtasks\.exe|\\\\reg\.exe|\\\\whoami\.exe|\\\\nltest\.exe|\\\\at\.exe)$", field=ImageFileName)
| CredentialAccess := if(regex("(?i)(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump)", field=CommandLine), 1, 0)
| LateralMovement := if(regex("(?i)(psexec|wmic\\s+/node|net\\s+use\\s|xcopy|robocopy|enter-pssession)", field=CommandLine), 1, 0)
| PersistenceAttempt := if(regex("(?i)(schtasks\\s+/create|sc\\s+create|reg\\s+add|localgroup.*administrator|currentversion.run)", field=CommandLine), 1, 0)
| DownloadAttempt := if(regex("(?i)(downloadstring|downloadfile|invoke-webrequest|iwr\\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)", field=CommandLine), 1, 0)
| EncodedCmd := if(regex("(?i)(-encodedcommand|-enc\\s+|-ec\\s+)", field=CommandLine), 1, 0)
| ReconActivity := if(regex("(?i)(whoami|net\\s+user|net\\s+group|nltest|ipconfig|systeminfo|netstat|tasklist)", field=CommandLine), 1, 0)
| HiddenExec := if(regex("(?i)(-windowstyle\\s+hidden|-w\\s+hidden|-nop\\s|-noni\\s)", field=CommandLine), 1, 0)
| RiskScore := CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + ReconActivity*HiddenExec*3 + ReconActivity
| where(RiskScore > 0)
| table([timestamp, ComputerName, UserPrincipalName, ImageFileName, CommandLine, ParentBaseFileName, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore], sortby=timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (Falcon sensor process telemetry) CrowdStrike LogScale / Humio SIEM CrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor observing SCCM or Intune agents running PowerShell with -EncodedCommand for legitimate MDM-deployed application installation scripts that are encoded for size or special character handling
AWS SSM Agent (amazon-ssm-agent.exe) executing Run Command documents or State Manager associations that invoke powershell.exe or cmd.exe for instance baseline configuration and patching workflows
IT support staff using RAdmin (radmin.exe or r_server.exe) for authorized remote administration sessions where administrative tools like whoami.exe or net.exe are run interactively during troubleshooting

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Deployment Tools

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections