New container uploaded to AWS ECR
⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
Description
This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-02-20
- Author: Rod Soto, Rico Valdez, Splunk
- ID: f0f70b40-f7ad-489d-9905-23d149da8099
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1525 | Implant Internal Image | Persistence |
Search
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type
| `drop_dm_object_name("Compute")`
| `new_container_uploaded_to_aws_ecr_filter`
Associated Analytic Story
How To Implement
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the container_implant_aws_detection_filter macro to filter out the false positives.
Required field
- _time
Kill Chain Phase
Known False Positives
Uploading container is a normal behavior from developers or users with access to container registry.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1