T1072: T1072
Essential information
- MITRE technique ID
T1072- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Software Deployment Tools
Platforms
windows macos linux Network Devices SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shai-Hulud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Medusa Group usesThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
UPPERCUT usesFamily The MITRE Corporation Confidence 100
[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UPPERCUT - S0275 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
POISONPLUG.SHADOW usesThe MITRE Corporation Confidence 100
[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BadPotato usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Morte usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SodaMaster usesFamily The MITRE Corporation Confidence 100
[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesThe MITRE Corporation Confidence 100
[RansomHub](https://attack.mitre.org/software/S1212) is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Wedgecut usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ANELLDR usesAlienVault Confidence 100
[ANELLDR](https://attack.mitre.org/software/S9027), a loader that has been in use since at least 2018, was designed to decrypt and execute [UPPERCUT](https://attack.mitre.org/software/S0275) in memory. [ANELLDR](https://attack.mitre.org/software/S9027) can use anti-analysis techniques and is…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Matanbuchus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (28)
-
15 MITREs 3 Malwares 71 Observables 1 APT
-
18 MITREs 8 Malwares 12 Observables 1 APT
-
9 MITREs 1 Malware 3 Observables 1 APT
-
14 MITREs 1 Malware 1 APT
-
1 CVE 16 MITREs 5 Malwares 112 Observables 1 APT
-
4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
-
4 CVEs 6 MITREs 2 Malwares 2 Observables
-
12 MITREs 2 Malwares 1 Observable
-
13 MITREs 5 Malwares 6 Observables 1 APT
-
15 MITREs 10 Malwares 15 Observables
-
20 MITREs 1 Malware 5 Observables
-
10 MITREs 1 Malware 1 Observable
Vulnerabilities (CVE) (67)
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 …
- Attack vector
- NETWORK
- Published
- 27/12/2024
- Modified
- 21/12/2025
LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via …
- Attack vector
- NETWORK
- Published
- 26/03/2023
- Modified
- 21/12/2025
A vulnerability was found in LB-LINK AC1900 Router 1.0.2 and classified as critical. Affected by this issue is the function websGetVar of …
- Attack vector
- NETWORK
- Published
- 24/02/2025
- Modified
- 21/12/2025
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted …
- Attack vector
- Network
- Published
- 03/12/2024
- Modified
- 21/12/2025
Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 13/04/2022
- Modified
- 27/05/2026
A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of …
- Attack vector
- ADJACENT_NETWORK
- Published
- 23/02/2024
- Modified
- 21/12/2025
D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced …
- Attack vector
- NETWORK
- Published
- 01/09/2022
- Modified
- 21/12/2025
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
- Attack vector
- Adjacent
- Published
- 21/12/2023
- Modified
- 28/02/2026
- Published
- 20/12/2025
- Modified
- 21/12/2025
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …
- Attack vector
- NETWORK
- Published
- 28/11/2023
- Modified
- 21/12/2025
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the …
- Attack vector
- NETWORK
- Published
- 25/11/2025
- Modified
- 21/12/2025
NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/12/2016
- Modified
- 22/04/2026
Course Of Action (9)
-
Active Directory Configuration mitigates
-
Limit Software Installation mitigates
-
User Account Management mitigates
-
Remote Data Storage mitigates
-
Update Software mitigates
-
User Training mitigates
-
Network Segmentation mitigates
-
Multi-factor Authentication mitigates
-
Privileged Account Management mitigates
Campaign (1)
-
C0018 uses