Try in Splunk Security Cloud

Description

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company’s repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-02-20
  • Author: Rod Soto, Rico Valdez, Splunk
  • ID: aa0e28b1-0521-4b6f-9d2a-7b87e34af246

Narrative

Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.

Detections

Name Technique Type
New container uploaded to AWS ECR Implant Internal Image Hunting

Reference

source | version: 1