⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-02-20
  • Author: Rod Soto, Rico Valdez, Splunk
  • ID: f0f70b40-f7ad-489d-9905-23d149da8099

ATT&CK

ID Technique Tactic
T1525 Implant Internal Image Persistence

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type 
| `drop_dm_object_name("Compute")` 
| `new_container_uploaded_to_aws_ecr_filter` 

Associated Analytic Story

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the container_implant_aws_detection_filter macro to filter out the false positives.

Required field

  • _time

Kill Chain Phase

Known False Positives

Uploading container is a normal behavior from developers or users with access to container registry.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1