WARNING THIS IS A EXPERIMENTAL object
We have not been able to test, simulate, or build datasets for this object. Use at your own risk. This analytic is NOT supported.
This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-02-20
- Author: Rod Soto, Rico Valdez, Splunk
- ID: f0f70b40-f7ad-489d-9905-23d149da8099
|T1525||Implant Internal Image||Persistence|
Kill Chain Phase
1 2 3 4 | tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name("Compute")` | `new_container_uploaded_to_aws_ecr_filter`
The SPL above uses the following Macros:
Note that new_container_uploaded_to_aws_ecr_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the
container_implant_aws_detection_filter macro to filter out the false positives.
Known False Positives
Uploading container is a normal behavior from developers or users with access to container registry.
Associated Analytic story
source | version: 1