T1072: T1072
Essential information
- MITRE technique ID
T1072- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Software Deployment Tools
Platforms
windows macos linux Network Devices SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shai-Hulud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Medusa Group usesThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
cARM usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CaddyWiper usesFamily The MITRE Corporation Confidence 100
[CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GodPotato usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PlugX - S0013 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AgentTesla usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
sockstress usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lcx usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CobaltStrike usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Linuxsys usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mimikatz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (28)
-
AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT
-
9 MITREs 1 Malware 16 Observables
-
15 MITREs 5 Observables 1 APT
-
11 MITREs 8 Observables 1 APT
-
8 MITREs 1 Malware
-
4 CVEs 9 MITREs 2 Malwares 6 Observables
-
1 CVE 7 MITREs 2 Observables
-
14 MITREs 1 Malware 3 Observables 1 APT
-
17 MITREs 1 Malware 3 Observables
-
1 CVE 9 MITREs
-
10 MITREs 5 Observables
-
19 MITREs 2 Malwares 1 APT
Vulnerabilities (CVE) (67)
Commands can be injected over the network and executed without authentication.
- Attack vector
- NETWORK
- Published
- 02/08/2024
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a …
- Attack vector
- Network
- Published
- 30/09/2024
- Modified
- 21/12/2025
The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON …
- Attack vector
- NETWORK
- Published
- 06/01/2023
- Modified
- 21/12/2025
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, …
- Attack vector
- Network
- Published
- 09/07/2024
- Modified
- 21/12/2025
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- Attack vector
- NETWORK
- Published
- 30/08/2022
- Modified
- 21/12/2025
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on …
- Published
- 24/06/2025
- Modified
- 20/03/2026
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands …
- Attack vector
- Network
- Published
- 10/01/2025
- Modified
- 21/12/2025
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in …
- Attack vector
- NETWORK
- Published
- 25/01/2024
- Modified
- 21/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Course Of Action (9)
-
Active Directory Configuration mitigates
-
Limit Software Installation mitigates
-
User Account Management mitigates
-
Remote Data Storage mitigates
-
Update Software mitigates
-
User Training mitigates
-
Network Segmentation mitigates
-
Multi-factor Authentication mitigates
-
Privileged Account Management mitigates
Campaign (1)
-
C0018 uses