T1072 CrowdStrike LogScale · LogScale

Detect Software Deployment Tools in CrowdStrike LogScale

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

MITRE ATT&CK

Tactic
Execution Lateral Movement
Technique
T1072 Software Deployment Tools
Canonical reference
https://attack.mitre.org/techniques/T1072/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| regex("(?i)(ccmexec\.exe|ccmsetup\.exe|besclient\.exe|besservice\.exe|PDQDeployRunner\.exe|PDQDeploy\.exe|AeXNSAgent\.exe|AeXSWDSvc\.exe|IntuneManagementExtension\.exe|amazon-ssm-agent\.exe|RemoteExec\.exe|radmin\.exe|r_server\.exe)$", field=ParentBaseFileName)
| regex("(?i)(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\regsvr32\.exe|\\\\rundll32\.exe|\\\\certutil\.exe|\\\\bitsadmin\.exe|\\\\wmic\.exe|\\\\net\.exe|\\\\net1\.exe|\\\\sc\.exe|\\\\schtasks\.exe|\\\\reg\.exe|\\\\whoami\.exe|\\\\nltest\.exe|\\\\at\.exe)$", field=ImageFileName)
| CredentialAccess := if(regex("(?i)(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump)", field=CommandLine), 1, 0)
| LateralMovement := if(regex("(?i)(psexec|wmic\\s+/node|net\\s+use\\s|xcopy|robocopy|enter-pssession)", field=CommandLine), 1, 0)
| PersistenceAttempt := if(regex("(?i)(schtasks\\s+/create|sc\\s+create|reg\\s+add|localgroup.*administrator|currentversion.run)", field=CommandLine), 1, 0)
| DownloadAttempt := if(regex("(?i)(downloadstring|downloadfile|invoke-webrequest|iwr\\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)", field=CommandLine), 1, 0)
| EncodedCmd := if(regex("(?i)(-encodedcommand|-enc\\s+|-ec\\s+)", field=CommandLine), 1, 0)
| ReconActivity := if(regex("(?i)(whoami|net\\s+user|net\\s+group|nltest|ipconfig|systeminfo|netstat|tasklist)", field=CommandLine), 1, 0)
| HiddenExec := if(regex("(?i)(-windowstyle\\s+hidden|-w\\s+hidden|-nop\\s|-noni\\s)", field=CommandLine), 1, 0)
| RiskScore := CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + ReconActivity*HiddenExec*3 + ReconActivity
| where(RiskScore > 0)
| table([timestamp, ComputerName, UserPrincipalName, ImageFileName, CommandLine, ParentBaseFileName, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore], sortby=timestamp, order=desc, limit=500)
high severity high confidence

CrowdStrike LogScale (Falcon/Humio) query targeting ProcessRollup2 events where Falcon telemetry records a deployment agent as parent (matched via ParentBaseFileName) and a LOLBin as child (matched via full ImageFileName path). Applies the same six-category weighted risk scoring as the reference SPL. Uses LogScale regex() function for pattern matching and if() for numeric flag assignment. RiskScore > 0 filter surfaces any matching suspicious behavior for analyst review.

Data Sources

CrowdStrike Falcon EDR (Falcon sensor process telemetry)CrowdStrike LogScale / Humio SIEMCrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor observing SCCM or Intune agents running PowerShell with -EncodedCommand for legitimate MDM-deployed application installation scripts that are encoded for size or special character handling
  • AWS SSM Agent (amazon-ssm-agent.exe) executing Run Command documents or State Manager associations that invoke powershell.exe or cmd.exe for instance baseline configuration and patching workflows
  • IT support staff using RAdmin (radmin.exe or r_server.exe) for authorized remote administration sessions where administrative tools like whoami.exe or net.exe are run interactively during troubleshooting
Download portable Sigma rule (.yml)

Other platforms for T1072

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.

  2. Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.

  4. Test 4Simulate AWS SSM Run Command Abuse

    Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.

  5. Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1651Cloud Administration CommandT1021Remote ServicesT1059.001PowerShellT1059.003Windows Command ShellT1053.005Scheduled TaskT1543.003Windows ServiceT1047Windows Management InstrumentationT1485Data DestructionT1486Data Encrypted for Impact

Same Tactic: Execution

Popular Detections