Software Deployment Tools `T1072`

Tactics: Execution, Lateral Movement

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Events covered

10 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 5	Process terminated
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4689	A process has exited.
ESF	exec	Process Execution (Notify)
SoftwareRestrictionPolicies	Event ID 865	Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.
SoftwareRestrictionPolicies	Event ID 866	Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.
SoftwareRestrictionPolicies	Event ID 867	Access to AttemptedPath has been restricted by your Administrator by software publisher policy.
SoftwareRestrictionPolicies	Event ID 868	Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
SoftwareRestrictionPolicies	Event ID 882	Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.

Authoring guide

Patterns shared across the 31 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (33 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`action`	6	`eq` 4, `in` 2	`completed`, `assigned`, `closed`, `converted_to_draft`, `edited`
`operationName`	6	`contains` 5, `in` 1	`devicemanagementconfigurationpolicy`, `create mobileapp`, `devicecompliancescript`, `devicehealthscript`, `devicemanagementscript`
`process_name`	6	`match` 3, `eq` 2, `in` 2	`(?i)radmin`, `apk`, `apt`, `apt-get`, `curl`
`CommandLine`	5	`match` 3, `contains` 2	`(?i)\/connect\:.*?\:`, `/scomma` , `/stext` , `https://jamf.`
`OriginalFileName`	4	`eq` 4	`csi.exe`, `pdqdeployconsole.exe`, `psexec.c`, `radmin.exe`, `rcsi.exe`
`sourcetype`	4	`eq` 4	`azure:monitor:activity`
`EventID`	3	`eq` 3	`4688`, `1`
`EventType`	3	`eq` 3	`exec`, `integration_installation.create`
`Image`	3	`contains` 1, `ends_with` 1, `starts_with` 1	`?:\windows\softwaredistribution\download\install\`, `\csi.exe`, `\device\harddiskvolume?\windows\softwaredistribution\down...`, `\rcsi.exe`, `policies\\{31b2f340-016d-11d2-945f-00c04fb984f9}`
`event.type`	3	`eq` 3	`start`
`Company`	2	`eq` 2	`Microsoft Corporation`, `PDQ.com`
`Description`	2	`eq` 2	`PDQ Deploy Console`, `Radmin Viewer`
`Product`	2	`eq` 2	`PDQ Deploy`, `Radmin Viewer`
`Type`	2	`eq` 2
`host.os.type`	2	`eq` 2

Top indicator values (117 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`sourcetype`	`eq`	`azure:monitor:activity` splunkMicrosoft Intune Device Health Scripts splunkMicrosoft Intune DeviceManagementConfigurationPolicies splunkMicrosoft Intune Manual Device Management splunkMicrosoft Intune Mobile Apps	4	5
`CommandLine`	`match`	`(?i)\/connect\:.*?\:` splunkRadmin execution (EDR) splunkRadmin execution (Sysmon) splunkRadmin execution (Windows Event Log)	3	3
`action`	`eq`	`completed` pantherGitHub pull_request_target Workflow Usage pantherGitHub Workflow Contains Checkout Action pantherGitHub Workflow Using Self-Hosted Runner	3	4
`event.type`	`eq`	`start` elasticPotential WSUS Abuse for Lateral Movement elasticSuspicious Curl to Jamf Endpoint elasticTool Installation Detected via Defend for Containers	3	606
`process_name`	`match`	`(?i)radmin` splunkRadmin execution (EDR) splunkRadmin execution (Sysmon) splunkRadmin execution (Windows Event Log)	3	3
`EventID`	`eq`	`4688` splunkRadmin execution (Windows Event Log) kustoNew EXE deployed via Default Domain or Default Domain Controller Policies	2	313
`EventID`	`eq`	`1` splunkRadmin execution (Sysmon)	1	237
`EventType`	`eq`	`exec` elasticSuspicious Curl to Jamf Endpoint elasticTool Installation Detected via Defend for Containers	2	171
`EventType`	`eq`	`integration_installation.create` elasticNew GitHub App Installed	1
`action`	`in`	`edited` pantherGitHub Malicious Issue/Pages Content pantherGitHub Malicious Pull Request Content	2	3
`action`	`in`	`opened` pantherGitHub Malicious Issue/Pages Content pantherGitHub Malicious Pull Request Content	2	2
`CommandLine`	`contains`	`/scomma` splunkDetection of tools built by NirSoft	1
`CommandLine`	`contains`	`/stext` splunkDetection of tools built by NirSoft	1
`CommandLine`	`contains`	`https://jamf.` elasticSuspicious Curl to Jamf Endpoint	1
`Company`	`eq`	`Microsoft Corporation` sigmaSuspicious Csi.exe Usage	1	2
`Company`	`eq`	`PDQ.com` sigmaPDQ Deploy Remote Adminstartion Tool Execution	1
`Description`	`eq`	`PDQ Deploy Console` sigmaPDQ Deploy Remote Adminstartion Tool Execution	1
`Description`	`eq`	`Radmin Viewer` sigmaPUA - Radmin Viewer Utility Execution	1
`Image`	`contains`	`policies\\{31b2f340-016d-11d2-945f-00c04fb984f9}` kustoNew EXE deployed via Default Domain or Default Domain Controller Policies	1
`Image`	`contains`	`policies\\{6ac1786c-016f-11d2-945f-00c04fb984f9}` kustoNew EXE deployed via Default Domain or Default Domain Controller Policies	1
`Image`	`ends_with`	`\csi.exe` sigmaSuspicious Csi.exe Usage	1	2
`Image`	`ends_with`	`\rcsi.exe` sigmaSuspicious Csi.exe Usage	1
`Image`	`starts_with`	`?:\windows\softwaredistribution\download\install\` elasticPotential WSUS Abuse for Lateral Movement	1
`Image`	`starts_with`	`\device\harddiskvolume?\windows\softwaredistribution\download\install\` elasticPotential WSUS Abuse for Lateral Movement	1
`Message`	`contains`	`malware` kustoBTP - Malware detected in BAS dev space	1
`OperationName`	`eq`	`Release.ReleasePipelineCreated` kustoAzure DevOps Pipeline Created and Deleted on the Same Day	1
`OperationName`	`eq`	`Release.ReleasePipelineDeleted` kustoAzure DevOps Pipeline Created and Deleted on the Same Day	1
`OriginalFileName`	`eq`	`csi.exe` sigmaSuspicious Csi.exe Usage	1	2
`OriginalFileName`	`eq`	`pdqdeployconsole.exe` sigmaPDQ Deploy Remote Adminstartion Tool Execution	1
`OriginalFileName`	`eq`	`psexec.c` elasticPotential WSUS Abuse for Lateral Movement	1	6

Exclusions (3 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`Process`	`eq`	`known_processes` kustoNew EXE deployed via Default Domain or Default Domain Controller Policies kustoNew EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)	2
`action`	`ne`	`opened` pantherGitHub Malicious Pull Request Content	1
`workflow_job.runner_name`	`starts_with`	`GitHub Actions` pantherGitHub Workflow Using Self-Hosted Runner	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Software Deployment Tools `T1072`

Events covered

Authoring guide

Fields filtered most (33 distinct)

Top indicator values (117 distinct)

Exclusions (3 distinct)

Rules under this technique

Sigma 4 rules

Elastic 4 rules

Splunk 8 rules

Kusto 4 rules

Panther 11 rules

Keyboard shortcuts

Search operators

Software Deployment Tools T1072

Events covered

Authoring guide

Fields filtered most (33 distinct)

Top indicator values (117 distinct)

Exclusions (3 distinct)

Rules under this technique

Sigma 4 rules

Elastic 4 rules

Splunk 8 rules

Kusto 4 rules

Panther 11 rules

Software Deployment Tools `T1072`