T1072 Sumo Logic CSE · Sumo

Detect Software Deployment Tools in Sumo Logic CSE

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation.

MITRE ATT&CK

Tactic
Execution Lateral Movement
Technique
T1072 Software Deployment Tools
Canonical reference
https://attack.mitre.org/techniques/T1072/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*/windows/sysmon (EventCode=1 OR EventID=1)
| parse regex "(?i)<Data Name='ParentImage'>(?P<ParentImage>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='Image'>(?P<Image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='CommandLine'>(?P<CommandLine>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='ParentCommandLine'>(?P<ParentCommandLine>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?P<User>[^<]+)</Data>" nodrop
| where ParentImage =~ "(?i).*(ccmexec|ccmsetup|besclient|besservice|PDQDeployRunner|PDQDeploy|AeXNSAgent|AeXSWDSvc|IntuneManagementExtension|amazon-ssm-agent|RemoteExec|radmin|r_server)\\.exe$"
| where Image =~ "(?i).*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|net|net1|sc|schtasks|reg|whoami|nltest|at)\\.exe$"
| toLowerCase(CommandLine) as cmd
| if(cmd =~ ".*(lsass|procdump|mimikatz|sekurlsa|comsvcs|ntds\\.dit|minidump).*", 1, 0) as CredentialAccess
| if(cmd =~ ".*(psexec|wmic /node|net use |xcopy|robocopy|enter-pssession).*", 1, 0) as LateralMovement
| if(cmd =~ ".*(schtasks /create|sc create|reg add|localgroup.*administrator|currentversion.run).*", 1, 0) as PersistenceAttempt
| if(cmd =~ ".*(downloadstring|downloadfile|invoke-webrequest|iwr |certutil.*urlcache|bitsadmin.*transfer|net\\.webclient|start-bitstransfer).*", 1, 0) as DownloadAttempt
| if(cmd =~ ".*(-encodedcommand|-enc |-e |-ec ).*", 1, 0) as EncodedCmd
| if(cmd =~ ".*(whoami|net user|net group|nltest|ipconfig|systeminfo|netstat|tasklist).*", 1, 0) as ReconActivity
| if(cmd =~ ".*(-windowstyle hidden|-w hidden|-nop |-noni ).*", 1, 0) as HiddenExec
| (CredentialAccess*5 + LateralMovement*4 + PersistenceAttempt*4 + DownloadAttempt*3 + EncodedCmd*2 + ReconActivity*HiddenExec*3 + ReconActivity) as RiskScore
| where RiskScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, CredentialAccess, LateralMovement, PersistenceAttempt, DownloadAttempt, EncodedCmd, ReconActivity, HiddenExec, RiskScore
| sort by RiskScore, _messageTime
high severity high confidence

Sumo Logic search query parsing Sysmon EventCode 1 (Process Create) XML payloads collected via Installed Collector on Windows endpoints. Extracts parent process, child process, command line, and user via named regex capture groups. Applies the same weighted risk scoring model as the reference SPL query across six behavioral categories. Events with RiskScore > 0 are surfaced for analyst triage.

Data Sources

Sumo Logic Installed Collector (Windows Sysmon Operational log)Sumo Logic Cloud SIEM Enterprise (normalized process events)Sumo Logic OpenTelemetry Collector (hostmetrics + windows events)

Required Tables

_sourceCategory=*/windows/sysmon

False Positives & Tuning

  • Intune Management Extension running PowerShell scripts signed and encoded in base64 for Win32 application deployment packages submitted through Endpoint Manager
  • AWS SSM Run Command documents executing shell commands for fleet-wide instance configuration, patching workflows, or compliance baseline enforcement via ssm-agent
  • SCCM software center deployments invoking net.exe or sc.exe to configure service accounts, prerequisites, or local group memberships as part of approved application installation sequences
Download portable Sigma rule (.yml)

Other platforms for T1072

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious Reconnaissance via Deployment Tool Child Process

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'whoami /all', 'net user /domain', 'nltest /domain_trusts', and 'net localgroup administrators'. Security Event ID 4688 (with command line auditing enabled) showing the full command chain. Each net.exe/nltest.exe subprocess also generates its own Event ID 1.

  2. Test 2Simulate Hidden PowerShell Execution with Download Cradle via Deployment Context

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '-ExecutionPolicy Bypass', '-WindowStyle Hidden', '-NoProfile', '-NonInteractive', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9999 (connection refused). PowerShell ScriptBlock Log Event ID 4104 with full script content.

  3. Test 3Simulate Credential Staging via Deployment Tool (comsvcs MiniDump)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine referencing 'comsvcs.dll' and 'MiniDump'. Sysmon Event ID 1 child: rundll32.exe with CommandLine 'comsvcs.dll, MiniDump <PID>'. Sysmon Event ID 10: Process Access event targeting lsass.exe with GrantedAccess 0x1FFFFF. Security Event ID 4656: Handle request to lsass.exe. EDR should generate a LSASS credential access alert independently.

  4. Test 4Simulate AWS SSM Run Command Abuse

    Expected signal: AWS CloudTrail: EventName=SendCommand, EventSource=ssm.amazonaws.com, with userIdentity.arn of the calling principal, sourceIPAddress of the attacker host, and requestParameters.documentName=AWS-RunShellScript. SSM agent log on target instance: /var/log/amazon/ssm/amazon-ssm-agent.log shows command receipt. CloudWatch Logs (if configured): command output stored at the configured S3 output bucket.

  5. Test 5Simulate Lateral Movement via Deployment Tool (Remote Service Installation)

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'sc \\127.0.0.1 create' and service binary path. Security Event ID 7045 (System log): New service 'df00tech_test_svc' installed on the system. Security Event ID 4697: A service was installed in the system (if service installation auditing is enabled). Security Event ID 4624: Logon event for the remote connection authentication.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1072 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1651Cloud Administration CommandT1021Remote ServicesT1059.001PowerShellT1059.003Windows Command ShellT1053.005Scheduled TaskT1543.003Windows ServiceT1047Windows Management InstrumentationT1485Data DestructionT1486Data Encrypted for Impact

Same Tactic: Execution

Popular Detections