EXPLORE

← Back to Explore

T1204.003

Malicious Image

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is m...

IaaSContainers

10

Detections

1

Sources

1

Threat Actors

BY SOURCE

10splunk_escu

PROCEDURES (6)

Registry3 detections

Auto-extracted: 3 detections for registry

Service2 detections

Auto-extracted: 2 detections for service

Service2 detections

Auto-extracted: 2 detections for service

Macro1 detections

Auto-extracted: 1 detections for macro

Macro1 detections

Auto-extracted: 1 detections for macro

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (1)

DETECTIONS (10)

ASL AWS ECR Container Upload Outside Business Hours

ASL AWS ECR Container Upload Unknown User

AWS ECR Container Scanning Findings High

AWS ECR Container Scanning Findings Low Informational Unknown

AWS ECR Container Scanning Findings Medium

AWS ECR Container Upload Outside Business Hours

AWS ECR Container Upload Unknown User

Cisco Isovalent - Non Allowlisted Image Use

Cisco Isovalent - Pods Running Offensive Tools

Risk Rule for Dev Sec Ops by Repository