Common Information
Type Value
Value
Third-party Software - T1072
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code. Adversaries may gain access to and use third-party application deployment systems installed within an enterprise network. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Detection: Detection methods will vary depending on the type of third-party software or system and how it is typically used. The same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Perform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system. Platforms: Linux, Windows, macOS Data Sources: Binary file metadata, File monitoring, Process monitoring, Process use of network, Third-party application logs, Windows Registry Permissions Required: Administrator, SYSTEM, User Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2025-01-21 0 Cyber Threats to Watch For in 2025
Details Website 2025-01-21 0 Best Automated Patch Management Software in 2025
Details Website 2025-01-21 1 Hackers Weaponize npm Packages to Steal Solana Private Keys Via Gmail - CyberSRC
Details Website 2025-01-20 0 Anne Neuberger Steps Down as White House Cybersecurity Advisor: What’s Next for U.S. Cyber Defense?
Details Website 2025-01-19 0 Breaking Down Biden's Latest Executive Order: Expert Analysis and Perspectives - Cybersecurity Insiders
Details Website 2025-01-19 3 The Five ICS Malware That Redefined Industrial Cyberthreats
Details Website 2025-01-17 4 Cyber Briefing: 2025.01.17
Details Website 2025-01-17 7 Navigating Cyber Risks: Key Challenges and Solutions for 2025
Details Website 2025-01-17 2 Strengthening Cybersecurity in 2025: A Deep Dive into the New Executive Order
Details Website 2025-01-16 2 Multiple Vulnerabilities in Rsync Could be Combined to Achieve RCE - Arctic Wolf
Details Website 2025-01-16 2 Multiple Vulnerabilities in Rsync Could be Combined to Achieve RCE | Arctic Wolf
Details Website 2025-01-16 2 White House Executive Order: Strengthening and Promoting Innovation in the Nation’s Cybersecurity
Details Website 2025-01-16 12 New Cybersecurity Executive Order: What It Means for Federal Agencies
Details Website 2025-01-16 2 New UEFI Secure Boot flaw exposes systems to bootkits, patch now
Details Website 2025-01-15 1 Exploiting IDOR in a Support Portal Chatbot
Details Website 2025-01-14 4 Global Cybersecurity Outlook 2025: Navigating Complexity and Building Resilience | WEF Report…
Details Website 2025-01-14 2 The Future of Cybersecurity: Global Outlook 2025 and Beyond
Details Website 2025-01-14 0 Is Your Solar Energy System Secure? Smart Home Cybersecurity Tips for Nigeria
Details Website 2025-01-14 0 2025 Cybersecurity Predictions - Cybersecurity Insiders
Details Website 2025-01-14 0 Building AI vs. Using AI: What’s The Right Approach for Your Business Needs?
Details Website 2025-01-14 16 CERT/CC Vulnerability Note VU#529659
Details Website 2025-01-13 3 Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection
Details Website 2025-01-13 1 Trusted-relationship cyberattacks and their prevention
Details Website 2025-01-13 0 Supply Chain Security: A Key Pillar in the Modern Cybersecurity
Details Website 2025-01-12 2 PCI DSS Requirements With v4.0.1 Updates For 2024