T1525 Implant Internal Image
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.1
A tool has been developed to facilitate planting backdoors in cloud container images.2 If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.1
| Item | Value |
|---|---|
| ID | T1525 |
| Sub-techniques | |
| Tactics | TA0003 |
| Platforms | Containers, IaaS |
| Permissions required | User |
| Version | 2.1 |
| Created | 04 September 2019 |
| Last Modified | 08 March 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software. |
| M1045 | Code Signing | Several cloud service providers support content trust models that require container images be signed by trusted sources.34 |
| M1026 | Privileged Account Management | Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0007 | Image | Image Creation |
References
-
Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019. ↩↩
-
Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019. ↩
-
Microsoft. (2019, September 5). Content trust in Azure Container Registry. Retrieved October 16, 2019. ↩
-
Docker. (2019, October 10). Content trust in Docker. Retrieved October 16, 2019. ↩