Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets.(Citation: ATT Cybersecurity Cryptocurrency Attacks on Cloud)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1525 | Implant Container Image | |
| AC-3 | Access Enforcement | Protects | T1525 | Implant Container Image | |
| AC-5 | Separation of Duties | Protects | T1525 | Implant Container Image | |
| AC-6 | Least Privilege | Protects | T1525 | Implant Container Image | |
| CA-8 | Penetration Testing | Protects | T1525 | Implant Container Image | |
| CM-2 | Baseline Configuration | Protects | T1525 | Implant Container Image | |
| CM-5 | Access Restrictions for Change | Protects | T1525 | Implant Container Image | |
| CM-6 | Configuration Settings | Protects | T1525 | Implant Container Image | |
| CM-7 | Least Functionality | Protects | T1525 | Implant Container Image | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1525 | Implant Container Image | |
| IA-9 | Service Identification and Authentication | Protects | T1525 | Implant Container Image | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1525 | Implant Container Image | |
| SI-2 | Flaw Remediation | Protects | T1525 | Implant Container Image | |
| SI-3 | Malicious Code Protection | Protects | T1525 | Implant Container Image | |
| SI-4 | System Monitoring | Protects | T1525 | Implant Container Image | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1525 | Implant Container Image | |
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1525 | Implant Container Image |
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1525 | Implant Container Image |
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | technique_scores | T1525 | Implant Container Image |
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
|
| azure_policy | Azure Policy | technique_scores | T1525 | Implant Container Image |
Comments
This control may provide recommendations to enable scanning and auditing of container images. This can provide information on images that have been added with high privileges or vulnerabilities.
References
|
| azure_defender_for_container_registries | Azure Defender for Container Registries | technique_scores | T1525 | Implant Container Image |
Comments
This control may prevent adversaries from implanting malicious container images through fine grained permissions and use of container image tag signing. Image tag signing allows for verifiable container images that have been signed with legitimate keys.
References
|
| azure_defender_for_container_registries | Azure Defender for Container Registries | technique_scores | T1525 | Implant Container Image |
Comments
This control may scan and alert on import or creation of container images with known vulnerabilities or a possible expanded surface area for exploitation.
References
|
| docker_host_hardening | Docker Host Hardening | technique_scores | T1525 | Implant Container Image |
Comments
This control may alert on Docker containers that are misconfigured or do not conform to CIS Docker Benchmarks. This may result in detection of container images implanted within Linux VMs with specific vulnerabilities or misconfigurations for malicious purposes.
References
|