⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-02-20
- Author: Rod Soto, Rico Valdez, Splunk
- ID: f0f70b40-f7ad-489d-9905-23d149da8099
|T1525||Implant Internal Image||Persistence|
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name("Compute")` | `new_container_uploaded_to_aws_ecr_filter`
Associated Analytic Story
How To Implement
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the
container_implant_aws_detection_filter macro to filter out the false positives.
Kill Chain Phase
Known False Positives
Uploading container is a normal behavior from developers or users with access to container registry.
source | version: 1