Skip to content

DET0334 Detection Strategy for T1525 – Implant Internal Image

Item Value
ID DET0334
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1525 (Implant Internal Image)

Analytics

Containers

AN0946

Implantation of malicious code into container images followed by registry push and use in new deployments.

Log Sources
Data Component Name Channel
Image Creation (DC0015) docker:daemon docker build or docker commit commands followed by docker push to internal registry
Image Modification (DC0036) docker:registry push event of new image version from unrecognized user or context
Mutable Elements
Field Description
TimeWindow Time threshold between image creation and use in deployment – typically rapid in adversarial activity.
UserContext The expected users or service accounts performing image pushes.
RegistryNameRegex Expected naming patterns for trusted registries.

IaaS

AN0947

Creation or modification of cloud virtual machine images (AMIs, custom images) with persistence mechanisms, followed by infrastructure provisioning that uses these implanted images.

Log Sources
Data Component Name Channel
Image Creation (DC0015) AWS:CloudTrail RegisterImage
Image Modification (DC0036) AWS:CloudTrail ModifyImageAttribute
Instance Start (DC0080) AWS:CloudTrail RunInstances
Mutable Elements
Field Description
IAMRole Roles that are allowed to register and modify images should be scoped narrowly.
ImageTagRegex Expected tags or naming patterns for images (e.g., ‘golden-image’, ‘base-image’).
LaunchWindow Time interval between image creation and instance launch.