DS0007 Image
A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment12
| Item | Value |
|---|---|
| ID | DS0007 |
| Platforms | IaaS |
| Collection Layers | Cloud Control Plane |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 10 November 2021 |
Data Components
Image Creation
Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1612 | Build Image on Host |
| enterprise | T1525 | Implant Internal Image |
| enterprise | T1204 | User Execution |
| enterprise | T1204.003 | Malicious Image |
Image Deletion
Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1485 | Data Destruction |
Image Metadata
Contextual data about a virtual machine image such as name, resource group, state, or type
| Domain | ID | Name |
|---|---|---|
| enterprise | T1564 | Hide Artifacts |
| enterprise | T1564.006 | Run Virtual Instance |
| enterprise | T1525 | Implant Internal Image |
| enterprise | T1036 | Masquerading |
| enterprise | T1036.005 | Match Legitimate Name or Location |
Image Modification
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1525 | Implant Internal Image |
References
-
Microsoft. (2021, August 23). Create a managed image of a generalized VM in Azure. Retrieved October 13, 2021. ↩
-
Amazon. (n.d.). Amazon Machine Images (AMI). Retrieved October 13, 2021. ↩
-
Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021. ↩
-
Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. ↩