T1072 Microsoft Sentinel · KQL

Detect Software Deployment Tools in Microsoft Sentinel

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

MITRE ATT&CK

Tactic
Execution Lateral Movement
Technique
T1072 Software Deployment Tools
Canonical reference
https://attack.mitre.org/techniques/T1072/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DeploymentAgents = dynamic([
    "ccmexec.exe",
    "ccmsetup.exe",
    "besclient.exe",
    "besservice.exe",
    "PDQDeployRunner.exe",
    "PDQDeploy.exe",
    "AeXNSAgent.exe",
    "AeXSWDSvc.exe",
    "IntuneManagementExtension.exe",
    "amazon-ssm-agent.exe",
    "RemoteExec.exe",
    "radmin.exe",
    "r_server.exe"
]);
let SuspiciousChildren = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "net.exe", "net1.exe", "sc.exe", "schtasks.exe",
    "reg.exe", "whoami.exe", "nltest.exe", "at.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (DeploymentAgents)
| where FileName has_any (SuspiciousChildren)
| extend CredentialAccess = ProcessCommandLine has_any ("lsass", "procdump", "mimikatz", "sekurlsa", "comsvcs", "ntds.dit", "MiniDump")
| extend LateralMovement = ProcessCommandLine has_any ("psexec", "wmic /node", "net use", "xcopy", "robocopy", "Enter-PSSession")
| extend PersistenceAttempt = ProcessCommandLine has_any ("schtasks /create", "sc create", "reg add", "localgroup administrators", "CurrentVersion\\Run", "startup")
| extend DownloadAttempt = ProcessCommandLine has_any ("downloadstring", "downloadfile", "invoke-webrequest", "iwr ", "certutil -urlcache", "bitsadmin /transfer", "net.webclient", "Start-BitsTransfer")
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ", "-ec ")
| extend ReconActivity = ProcessCommandLine has_any ("whoami", "net user", "net group", "nltest", "ipconfig", "systeminfo", "netstat", "tasklist", "net localgroup")
| extend HiddenExec = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-nop ", "-noni ")
| where CredentialAccess or LateralMovement or PersistenceAttempt or DownloadAttempt or EncodedCmd or (ReconActivity and HiddenExec)
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName,
          CredentialAccess, LateralMovement, PersistenceAttempt,
          DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec
| sort by Timestamp desc
high severity medium confidence

Detects suspicious child processes spawned by known software deployment tool agents using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies deployment agents (SCCM ccmexec.exe, BigFix besclient.exe, PDQ Deploy PDQDeployRunner.exe, Intune IntuneManagementExtension.exe, AWS SSM amazon-ssm-agent.exe, RAdmin radmin.exe, RemoteExec) launching living-off-the-land binaries with suspicious command patterns. Flags are categorized per attack phase — credential access, lateral movement, persistence, download cradles, encoded commands, and reconnaissance — to support analyst triage and prioritization.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • SCCM/ConfigMgr routinely spawns PowerShell and cmd.exe to execute legitimate software deployment scripts, patch management, and compliance remediation — build an allowlist of authorized script names and package GUIDs from InitiatingProcessCommandLine
  • BigFix (HCL) and PDQ Deploy are frequently used for IT administration tasks including software installs, configuration changes, and script execution that legitimately trigger this detection during patch cycles
  • Intune Management Extension (IntuneManagementExtension.exe) executes PowerShell scripts deployed by administrators for device configuration, security baseline enforcement, and application installation
  • AWS Systems Manager Run Command legitimately executes shell commands on EC2 instances for patch management, inventory collection, and operational runbooks — tune by allowlisting known SSM document names
  • Automated patch management tools may use certutil or bitsadmin for downloading and verifying update packages from vendor CDNs
  • Monitoring and inventory agents (SCCM hardware inventory, BigFix relevance queries) run net.exe and systeminfo.exe on a schedule to collect asset data
Download portable Sigma rule (.yml)

Other platforms for T1072

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.

  2. Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.

  4. Test 4Simulate AWS SSM Run Command Abuse

    Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.

  5. Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1651Cloud Administration CommandT1021Remote ServicesT1059.001PowerShellT1059.003Windows Command ShellT1053.005Scheduled TaskT1543.003Windows ServiceT1047Windows Management InstrumentationT1485Data DestructionT1486Data Encrypted for Impact

Same Tactic: Execution

Popular Detections