Detect Software Deployment Tools in Google Chronicle
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.
MITRE ATT&CK
- Tactic
- Execution Lateral Movement
- Technique
- T1072 Software Deployment Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1072/
YARA-L Detection Query
rule t1072_deployment_tool_suspicious_child_process {
meta:
author = "Detection Engineering"
description = "Detects suspicious LOLBin or interpreter processes spawned by software deployment agents, indicating T1072 abuse for execution or lateral movement"
mitre_attack_tactic = "Lateral Movement, Execution"
mitre_attack_technique = "T1072"
severity = "HIGH"
confidence = "HIGH"
rule_version = "1.0"
created = "2025-01-01"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.principal.process.file.full_path,
`(?i)(ccmexec\.exe|ccmsetup\.exe|besclient\.exe|besservice\.exe|PDQDeployRunner\.exe|PDQDeploy\.exe|AeXNSAgent\.exe|AeXSWDSvc\.exe|IntuneManagementExtension\.exe|amazon-ssm-agent\.exe|RemoteExec\.exe|radmin\.exe|r_server\.exe)$`)
re.regex($e.target.process.file.full_path,
`(?i)(\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\regsvr32\.exe|\\rundll32\.exe|\\certutil\.exe|\\bitsadmin\.exe|\\wmic\.exe|\\net\.exe|\\net1\.exe|\\sc\.exe|\\schtasks\.exe|\\reg\.exe|\\whoami\.exe|\\nltest\.exe|\\at\.exe)$`)
(
re.regex($e.target.process.command_line,
`(?i)(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump|psexec|wmic\s+/node|net\s+use\s|xcopy|robocopy|enter-pssession)`) or
re.regex($e.target.process.command_line,
`(?i)(schtasks\s+/create|sc\s+create|reg\s+add|localgroup.*administrator|currentversion.run)`) or
re.regex($e.target.process.command_line,
`(?i)(downloadstring|downloadfile|invoke-webrequest|iwr\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)`) or
re.regex($e.target.process.command_line,
`(?i)(-encodedcommand|-enc\s|-ec\s)`) or
(
re.regex($e.target.process.command_line,
`(?i)(whoami|net\s+user|net\s+group|nltest|ipconfig|systeminfo|netstat|tasklist)`) and
re.regex($e.target.process.command_line,
`(?i)(-windowstyle\s+hidden|-w\s+hidden|-nop\s|-noni\s)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule matching UDM PROCESS_LAUNCH events where the principal (parent) process path ends in a known software deployment agent filename and the target (child) process is a LOLBin or interpreter. Command-line patterns cover all six attack categories from the reference queries: credential access, lateral movement, persistence, payload download, encoded execution, and stealthy recon. Uses backtick raw strings for regex to avoid double-escaping.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SCCM task sequences deploying software that calls PowerShell with base64-encoded scripts, triggering the -encodedcommand or -enc regex branches
- Intune Management Extension running Win32 app install scripts that call net.exe or reg.exe to configure application prerequisites on managed endpoints
- PDQ Deploy tasks that invoke whoami.exe or systeminfo.exe within silent PowerShell wrappers for pre-installation compatibility checking, matching the ReconActivity and HiddenExec combination
Other platforms for T1072
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.
- Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.
- Test 4Simulate AWS SSM Run Command Abuse
Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.
- Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.
References (10)
- https://attack.mitre.org/techniques/T1072/
- https://www.mandiant.com/resources/blog/apt32-targeting-private-sector
- https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://learn.microsoft.com/en-us/mem/configmgr/core/servers/manage/cmtrace
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
Unlock Pro Content
Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.