T1072: T1072
Essential information
- MITRE technique ID
T1072- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Software Deployment Tools
Platforms
windows macos linux Network Devices SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (26)
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shai-Hulud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Medusa Group usesThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mirai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
COBEACON usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CAPSAICIN usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SECONDBEST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Roarur usesThe MITRE Corporation Confidence 100
[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Bumblebee usesFamily The MITRE Corporation Confidence 100
[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Spark - S0543 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Moudoor usesThe MITRE Corporation Confidence 100
[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Knight usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gh0stRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GoThief usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dero usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cpolar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (28)
-
15 MITREs 3 Malwares 71 Observables 1 APT
-
18 MITREs 8 Malwares 12 Observables 1 APT
-
9 MITREs 1 Malware 3 Observables 1 APT
-
14 MITREs 1 Malware 1 APT
-
1 CVE 16 MITREs 5 Malwares 112 Observables 1 APT
-
4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
-
4 CVEs 6 MITREs 2 Malwares 2 Observables
-
12 MITREs 2 Malwares 1 Observable
-
13 MITREs 5 Malwares 6 Observables 1 APT
-
15 MITREs 10 Malwares 15 Observables
-
20 MITREs 1 Malware 5 Observables
-
10 MITREs 1 Malware 1 Observable
Vulnerabilities (CVE) (67)
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …
- Published
- 07/08/2023
- Modified
- 20/12/2025
Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket …
- Attack vector
- NETWORK
- Published
- 23/10/2024
- Modified
- 21/12/2025
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out …
- Attack vector
- Local
- Published
- 20/12/2025
- Modified
- 30/12/2025
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …
- Attack vector
- Network
- Complexity
- Low
- Published
- 21/02/2024
- Modified
- 29/04/2026
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …
- Attack vector
- Adjacent
- Published
- 02/10/2025
- Modified
- 21/12/2025
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …
- Attack vector
- NETWORK
- Published
- 06/11/2024
- Modified
- 21/12/2025
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a …
- Attack vector
- NETWORK
- Published
- 01/08/2023
- Modified
- 21/12/2025
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the …
- Attack vector
- NETWORK
- Published
- 03/02/2025
- Modified
- 31/12/2025
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
- Attack vector
- Adjacent
- Published
- 01/05/2023
- Modified
- 21/12/2025
RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
- Attack vector
- NETWORK
- Published
- 16/01/2025
- Modified
- 21/12/2025
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …
- Attack vector
- Network
- Published
- 18/11/2024
- Modified
- 21/12/2025
Course Of Action (9)
-
Active Directory Configuration mitigates
-
Limit Software Installation mitigates
-
User Account Management mitigates
-
Remote Data Storage mitigates
-
Update Software mitigates
-
User Training mitigates
-
Network Segmentation mitigates
-
Multi-factor Authentication mitigates
-
Privileged Account Management mitigates
Campaign (1)
-
C0018 uses