Detect Software Deployment Tools in IBM QRadar
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.
MITRE ATT&CK
- Tactic
- Execution Lateral Movement
- Technique
- T1072 Software Deployment Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1072/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
LOGSOURCENAME(logsourceid) AS "Log Source",
username AS "User",
"Process Image" AS "Child Process",
"Parent Image" AS "Parent Process",
"CommandLine" AS "Command Line",
"Parent CommandLine" AS "Parent Command Line",
CASE WHEN LOWER("CommandLine") LIKE '%lsass%'
OR LOWER("CommandLine") LIKE '%procdump%'
OR LOWER("CommandLine") LIKE '%mimikatz%'
OR LOWER("CommandLine") LIKE '%sekurlsa%'
OR LOWER("CommandLine") LIKE '%comsvcs%'
OR LOWER("CommandLine") LIKE '%ntds.dit%'
OR LOWER("CommandLine") LIKE '%minidump%'
THEN 'YES' ELSE 'NO' END AS "CredentialAccess",
CASE WHEN LOWER("CommandLine") LIKE '%psexec%'
OR LOWER("CommandLine") LIKE '%wmic /node%'
OR LOWER("CommandLine") LIKE '%net use %'
OR LOWER("CommandLine") LIKE '%xcopy%'
OR LOWER("CommandLine") LIKE '%robocopy%'
OR LOWER("CommandLine") LIKE '%enter-pssession%'
THEN 'YES' ELSE 'NO' END AS "LateralMovement",
CASE WHEN LOWER("CommandLine") LIKE '%schtasks /create%'
OR LOWER("CommandLine") LIKE '%sc create%'
OR LOWER("CommandLine") LIKE '%reg add%'
OR LOWER("CommandLine") LIKE '%localgroup%administrator%'
OR LOWER("CommandLine") LIKE '%currentversion%run%'
THEN 'YES' ELSE 'NO' END AS "PersistenceAttempt",
CASE WHEN LOWER("CommandLine") LIKE '%downloadstring%'
OR LOWER("CommandLine") LIKE '%downloadfile%'
OR LOWER("CommandLine") LIKE '%invoke-webrequest%'
OR LOWER("CommandLine") LIKE '%certutil -urlcache%'
OR LOWER("CommandLine") LIKE '%bitsadmin /transfer%'
OR LOWER("CommandLine") LIKE '%net.webclient%'
OR LOWER("CommandLine") LIKE '%start-bitstransfer%'
THEN 'YES' ELSE 'NO' END AS "DownloadAttempt",
CASE WHEN LOWER("CommandLine") LIKE '%-encodedcommand%'
OR LOWER("CommandLine") LIKE '%-enc %'
OR LOWER("CommandLine") LIKE '%-ec %'
THEN 'YES' ELSE 'NO' END AS "EncodedCmd"
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
AND QIDNAME(qid) ILIKE '%Process Create%'
AND LAST 1 DAYS
AND (
"Parent Image" ILIKE '%\\ccmexec.exe'
OR "Parent Image" ILIKE '%\\ccmsetup.exe'
OR "Parent Image" ILIKE '%\\besclient.exe'
OR "Parent Image" ILIKE '%\\besservice.exe'
OR "Parent Image" ILIKE '%\\PDQDeployRunner.exe'
OR "Parent Image" ILIKE '%\\PDQDeploy.exe'
OR "Parent Image" ILIKE '%\\AeXNSAgent.exe'
OR "Parent Image" ILIKE '%\\AeXSWDSvc.exe'
OR "Parent Image" ILIKE '%\\IntuneManagementExtension.exe'
OR "Parent Image" ILIKE '%\\amazon-ssm-agent.exe'
OR "Parent Image" ILIKE '%\\RemoteExec.exe'
OR "Parent Image" ILIKE '%\\radmin.exe'
OR "Parent Image" ILIKE '%\\r_server.exe'
)
AND (
"Process Image" ILIKE '%\\cmd.exe'
OR "Process Image" ILIKE '%\\powershell.exe'
OR "Process Image" ILIKE '%\\pwsh.exe'
OR "Process Image" ILIKE '%\\wscript.exe'
OR "Process Image" ILIKE '%\\cscript.exe'
OR "Process Image" ILIKE '%\\mshta.exe'
OR "Process Image" ILIKE '%\\certutil.exe'
OR "Process Image" ILIKE '%\\bitsadmin.exe'
OR "Process Image" ILIKE '%\\rundll32.exe'
OR "Process Image" ILIKE '%\\regsvr32.exe'
OR "Process Image" ILIKE '%\\wmic.exe'
OR "Process Image" ILIKE '%\\net.exe'
OR "Process Image" ILIKE '%\\net1.exe'
OR "Process Image" ILIKE '%\\whoami.exe'
OR "Process Image" ILIKE '%\\nltest.exe'
OR "Process Image" ILIKE '%\\schtasks.exe'
OR "Process Image" ILIKE '%\\sc.exe'
OR "Process Image" ILIKE '%\\reg.exe'
)
AND (
LOWER("CommandLine") LIKE '%lsass%'
OR LOWER("CommandLine") LIKE '%procdump%'
OR LOWER("CommandLine") LIKE '%mimikatz%'
OR LOWER("CommandLine") LIKE '%sekurlsa%'
OR LOWER("CommandLine") LIKE '%comsvcs%'
OR LOWER("CommandLine") LIKE '%ntds.dit%'
OR LOWER("CommandLine") LIKE '%psexec%'
OR LOWER("CommandLine") LIKE '%wmic /node%'
OR LOWER("CommandLine") LIKE '%schtasks /create%'
OR LOWER("CommandLine") LIKE '%sc create%'
OR LOWER("CommandLine") LIKE '%reg add%'
OR LOWER("CommandLine") LIKE '%downloadstring%'
OR LOWER("CommandLine") LIKE '%invoke-webrequest%'
OR LOWER("CommandLine") LIKE '%certutil -urlcache%'
OR LOWER("CommandLine") LIKE '%bitsadmin /transfer%'
OR LOWER("CommandLine") LIKE '%net.webclient%'
OR LOWER("CommandLine") LIKE '%-encodedcommand%'
OR LOWER("CommandLine") LIKE '%-enc %'
OR LOWER("CommandLine") LIKE '%-ec %'
OR (LOWER("CommandLine") LIKE '%whoami%' AND LOWER("CommandLine") LIKE '%-nop %')
OR (LOWER("CommandLine") LIKE '%systeminfo%' AND LOWER("CommandLine") LIKE '%-windowstyle hidden%')
)
ORDER BY devicetime DESCIBM QRadar AQL query against Sysmon Process Create events (QID mapped to EventCode 1). Joins parent and child process image fields from QRadar Sysmon DSM custom properties, then filters on command-line indicators matching credential access, lateral movement, persistence, download, and encoded-execution categories. CASE expressions annotate each category inline for analyst triage. Requires QRadar Sysmon DSM with custom properties 'Parent Image', 'Process Image', and 'CommandLine' parsed from the Sysmon XML payload.
Data Sources
Required Tables
False Positives & Tuning
- SCCM task sequences that invoke PowerShell with -EncodedCommand or -enc for deploying complex application scripts, which triggers the EncodedCmd indicator with no malicious intent
- BigFix actions using net.exe or sc.exe to enforce OS baseline policies such as disabling services or managing local administrator group membership during scheduled fixlet runs
- PDQ Deploy packages that download installation files via bitsadmin or certutil from internal WSUS or software distribution servers as part of authorized enterprise deployments
Other platforms for T1072
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.
- Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.
- Test 4Simulate AWS SSM Run Command Abuse
Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.
- Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.
References (10)
- https://attack.mitre.org/techniques/T1072/
- https://www.mandiant.com/resources/blog/apt32-targeting-private-sector
- https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://learn.microsoft.com/en-us/mem/configmgr/core/servers/manage/cmtrace
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
Unlock Pro Content
Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.