T1525 Implant Container Image Mappings

Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets.(Citation: ATT Cybersecurity Cryptocurrency Attacks on Cloud)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1525 Implant Container Image
AC-3 Access Enforcement Protects T1525 Implant Container Image
AC-5 Separation of Duties Protects T1525 Implant Container Image
AC-6 Least Privilege Protects T1525 Implant Container Image
CA-8 Penetration Testing Protects T1525 Implant Container Image
CM-2 Baseline Configuration Protects T1525 Implant Container Image
CM-5 Access Restrictions for Change Protects T1525 Implant Container Image
CM-6 Configuration Settings Protects T1525 Implant Container Image
CM-7 Least Functionality Protects T1525 Implant Container Image
IA-2 Identification and Authentication (organizational Users) Protects T1525 Implant Container Image
IA-9 Service Identification and Authentication Protects T1525 Implant Container Image
RA-5 Vulnerability Monitoring and Scanning Protects T1525 Implant Container Image
SI-2 Flaw Remediation Protects T1525 Implant Container Image
SI-3 Malicious Code Protection Protects T1525 Implant Container Image
SI-4 System Monitoring Protects T1525 Implant Container Image
SI-7 Software, Firmware, and Information Integrity Protects T1525 Implant Container Image
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1525 Implant Container Image
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1525 Implant Container Image
azure_defender_for_kubernetes Azure Defender for Kubernetes technique_scores T1525 Implant Container Image
azure_policy Azure Policy technique_scores T1525 Implant Container Image
azure_defender_for_container_registries Azure Defender for Container Registries technique_scores T1525 Implant Container Image
azure_defender_for_container_registries Azure Defender for Container Registries technique_scores T1525 Implant Container Image
docker_host_hardening Docker Host Hardening technique_scores T1525 Implant Container Image