1. Home
  2. ATT&CK Techniques
  3. T1525 Implant Internal Image

T1525 Implant Internal Image Mappings

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1525 Implant Internal Image
AC-3 Access Enforcement Protects T1525 Implant Internal Image
AC-5 Separation of Duties Protects T1525 Implant Internal Image
AC-6 Least Privilege Protects T1525 Implant Internal Image
CA-8 Penetration Testing Protects T1525 Implant Internal Image
CM-2 Baseline Configuration Protects T1525 Implant Internal Image
CM-5 Access Restrictions for Change Protects T1525 Implant Internal Image
CM-6 Configuration Settings Protects T1525 Implant Internal Image
CM-7 Least Functionality Protects T1525 Implant Internal Image
IA-2 Identification and Authentication (organizational Users) Protects T1525 Implant Internal Image
IA-9 Service Identification and Authentication Protects T1525 Implant Internal Image
RA-5 Vulnerability Monitoring and Scanning Protects T1525 Implant Internal Image
SI-2 Flaw Remediation Protects T1525 Implant Internal Image
SI-3 Malicious Code Protection Protects T1525 Implant Internal Image
SI-4 System Monitoring Protects T1525 Implant Internal Image
SI-7 Software, Firmware, and Information Integrity Protects T1525 Implant Internal Image
CVE-2018-15869 n/a uncategorized T1525 Implant Internal Image
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1525 Implant Container Image
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1525 Implant Container Image
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1525 Implant Container Image
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1525 Implant Container Image
action.malware.variety.Unknown Unknown related-to T1525 Implant Container Image
aws_config AWS Config technique_scores T1525 Implant Internal Image