T1072 Elastic Security · Elastic

Detect Software Deployment Tools in Elastic Security

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

MITRE ATT&CK

Tactic
Execution Lateral Movement
Technique
T1072 Software Deployment Tools
Canonical reference
https://attack.mitre.org/techniques/T1072/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start"
  and process.parent.name in~ (
    "ccmexec.exe", "ccmsetup.exe", "besclient.exe", "besservice.exe",
    "pdqdeployrunner.exe", "pdqdeploy.exe", "aexnsagent.exe", "aexswdsvc.exe",
    "intunemanagementextension.exe", "amazon-ssm-agent.exe",
    "remoteexec.exe", "radmin.exe", "r_server.exe"
  )
  and process.name in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "net.exe", "net1.exe", "sc.exe", "schtasks.exe",
    "reg.exe", "whoami.exe", "nltest.exe", "at.exe"
  )
  and (
    process.command_line like~ ("*lsass*", "*procdump*", "*mimikatz*", "*sekurlsa*", "*comsvcs*", "*ntds.dit*", "*minidump*")
    or process.command_line like~ ("*psexec*", "*wmic /node*", "*net use *", "*xcopy*", "*robocopy*", "*enter-pssession*")
    or process.command_line like~ ("*schtasks /create*", "*sc create*", "*reg add*", "*localgroup administrators*", "*CurrentVersion\\Run*")
    or process.command_line like~ ("*downloadstring*", "*downloadfile*", "*invoke-webrequest*", "*iwr *", "*certutil -urlcache*", "*bitsadmin /transfer*", "*net.webclient*", "*start-bitstransfer*")
    or process.command_line like~ ("*-encodedcommand*", "*-enc *", "*-ec *")
    or (
      process.command_line like~ ("*whoami*", "*net user*", "*net group*", "*nltest*", "*ipconfig*", "*systeminfo*", "*netstat*", "*tasklist*")
      and process.command_line like~ ("*-windowstyle hidden*", "*-w hidden*", "*-nop *", "*-noni *")
    )
  )
high severity high confidence

Detects living-off-the-land binaries and interpreter processes spawned as children of known software deployment agents (SCCM, BigFix, PDQ Deploy, Intune, AWS SSM, RAdmin). Matches on command-line indicators covering credential access, lateral movement, persistence, payload download, encoded execution, and recon combined with stealth flags — mirroring the logic of the reference KQL/SPL for T1072.

Data Sources

Elastic Endpoint Security agent (process telemetry)Windows Sysmon via Elastic Agent or WinlogbeatAuditbeat (Linux, if deployment agents run cross-platform)

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-system.security-*

False Positives & Tuning

  • SCCM or Intune software deployment tasks that legitimately invoke PowerShell with -EncodedCommand to handle complex multi-line scripts packaged for transport in MDM payloads
  • BigFix fixlets running net.exe, sc.exe, or reg.exe to enforce OS baseline configuration (service hardening, local group membership, registry policy) as part of scheduled remediation
  • PDQ Deploy jobs that use certutil.exe or bitsadmin.exe to fetch installation packages from internal distribution servers during authorized software rollouts
Download portable Sigma rule (.yml)

Other platforms for T1072

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.

  2. Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.

  4. Test 4Simulate AWS SSM Run Command Abuse

    Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.

  5. Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1651Cloud Administration CommandT1021Remote ServicesT1059.001PowerShellT1059.003Windows Command ShellT1053.005Scheduled TaskT1543.003Windows ServiceT1047Windows Management InstrumentationT1485Data DestructionT1486Data Encrypted for Impact

Same Tactic: Execution

Popular Detections