T1072 - Software Deployment Tools#
Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).
Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it’s intended purpose.
Atomic Tests#
Atomic Test #1 - Radmin Viewer Utility#
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with powershell!#
Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe})#
Check Prereq Commands:#
if (Test-Path "${env:ProgramFiles(x86)}/Radmin Viewer 3/Radmin.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host Downloading radmin installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\RadminViewer.msi"
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , "PathToAtomicsFolder\..\ExternalPayloads\RadminViewer.msi", /qn
Invoke-AtomicTest T1072 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with command_prompt#
"%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
Invoke-AtomicTest T1072 -TestNumbers 1
Atomic Test #2 - PDQ Deploy RAT#
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with powershell!#
Description: PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})#
Check Prereq Commands:#
if (Test-Path "${env:ProgramFiles(x86)}/Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host Downloading PDQ Deploy installer
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.pdq.com/release/19/Deploy_19.3.350.0.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PDQDeploysetup.exe"
Write-Host Install PDQ Deploy
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\PDQDeploysetup.exe" -Wait -ArgumentList "/s"
Invoke-AtomicTest T1072 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with command_prompt#
"%PROGRAMFILES(x86)%/Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe"
Invoke-AtomicTest T1072 -TestNumbers 2
Detection#
Detection methods will vary depending on the type of third-party software or system and how it is typically used.
The same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems.
Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.
Perform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.
Shield Active Defense#
Decoy System#
Configure a computing system to serve as an attack target or experimental environment.
A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.
Opportunity#
There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
Use Case#
A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity.
Procedures#
Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system. Setup a server which appears to be something that is commonly expected within a network, such as web server.