TIARAS - T1017: Application Deployment Software

MITRE ATT&CK Technique

Lateral Movement T1017

Description

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

Supported Platforms

Linux macOS Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:30:27.755Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may deploy malicious software to systems within a '
                'network using application deployment systems employed by '
                'enterprise administrators. The permissions required for this '
                'action vary by system configuration; local credentials may be '
                'sufficient with direct access to the deployment server, or '
                'specific domain credentials may be required. However, the '
                'system may require an administrative account to log in or to '
                'perform software deployment.\n'
                '\n'
                'Access to a network-wide or enterprise-wide software '
                'deployment system enables an adversary to have remote code '
                'execution on all systems that are connected to such a system. '
                'The access may be used to laterally move to systems, gather '
                'information, or cause a specific effect, such as wiping the '
                'hard drives on all endpoints.',
 'external_references': [{'external_id': 'T1017',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1017'},
                         {'external_id': 'CAPEC-187',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/187.html'}],
 'id': 'attack-pattern--327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'lateral-movement'}],
 'modified': '2025-10-24T17:48:37.004Z',
 'name': 'Application Deployment Software',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About