Detect Malicious Image in Google Chronicle
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.003 Malicious Image
- Canonical reference
- https://attack.mitre.org/techniques/T1204/003/
YARA-L Detection Query
rule t1204_003_malicious_image_execution {
meta:
author = "df00tech"
description = "Detects T1204.003 Malicious Image execution via cryptocurrency miner processes, mining pool network connections, or suspicious cloud image deployments"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1204.003"
reference = "https://attack.mitre.org/techniques/T1204/003/"
rule_version = "1.0"
events:
(
// Branch 1: Miner process execution by binary name
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.principal.process.file.full_path, `(?i)(xmrig|xmrig-notls|minerd|cpuminer|cryptonight|nbminer|t-rex|lolminer|ethminer|cgminer|bfgminer|claymore|phoenixminer|teamtntbot)(\.|$)`) nocase
or re.regex($e.target.process.command_line, `(?i)(stratum\+tcp://|stratum\+ssl://|--donate-level|-o pool\.|xmrpool|supportxmr|minexmr|moneroocean|hashvault|nanopool)`) nocase
)
)
or
// Branch 2: Mining pool network connections on known ports
(
$e.metadata.event_type = "NETWORK_CONNECTION"
and $e.target.port in (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999)
and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
and not re.regex($e.principal.process.file.full_path, `(?i)(chrome|firefox|msedge|brave|opera|iexplore)\.exe$`) nocase
)
or
// Branch 3: DNS resolution for known mining pool domains
(
$e.metadata.event_type = "NETWORK_DNS"
and (
re.regex($e.network.dns.questions.name, `(?i)(minexmr\.com|supportxmr\.com|nanopool\.org|f2pool\.com|antpool\.com|pool\.minergate\.com|xmrpool\.eu|hashvault\.pro|moneroocean\.stream|xmr\.pool)`) nocase
)
)
or
// Branch 4: Cloud instance launch events (AWS/GCP/Azure)
(
$e.metadata.event_type = "USER_RESOURCE_CREATION"
and (
$e.metadata.product_name = "AWS CloudTrail"
or $e.metadata.product_name = "Azure Activity"
or $e.metadata.product_name = "GCP Cloud Audit"
)
and re.regex($e.metadata.description, `(?i)(RunInstances|VIRTUALMACHINES/WRITE|compute\.instances\.insert)`) nocase
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1204.003 Malicious Image indicators across four branches: process launches matching known cryptocurrency miner binary names or mining pool command-line arguments, network connections to known mining pool ports from non-browser processes, DNS resolution of known mining pool domains, and cloud resource creation events from AWS/Azure/GCP indicating instance launch from potentially malicious images.
Data Sources
Required Tables
False Positives & Tuning
- Internal cloud automation tools that launch EC2, Azure VM, or GCE instances from custom or marketplace images not recognized by well-known publisher allow-lists, causing false positives on the cloud image deployment branch
- Legitimate developers working on blockchain or cryptocurrency projects who run mining software locally for testing consensus mechanisms or integration testing
- Network appliances or IoT devices communicating over ports in the mining pool range for unrelated protocols (e.g., some industrial control systems use port 4444 for legitimate traffic)
Other platforms for T1204.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Executing Cryptocurrency Miner Process Name
Expected signal: Linux syslog or auditd process creation event showing process name 'xmrig' spawned under dockerd/containerd parent process. If Sysmon for Linux is deployed, EventCode=1 with Image containing 'xmrig' and ParentImage containing 'containerd-shim' or 'runc'. Docker daemon logs show container start/stop events.
- Test 2Simulate Mining Pool Network Connection Attempt
Expected signal: If Sysmon for Linux is deployed: EventCode=3 network connection event with Image=curl, DestinationPort=3333, DestinationHostname=pool.minexmr.com. DNS query EventCode=22 for pool.minexmr.com. On Windows equivalent: 'Test-NetConnection -ComputerName pool.minexmr.com -Port 3333' generates Sysmon EventCode=3.
- Test 3Pull and Inspect Publicly Known Malicious-Style Docker Image Name
Expected signal: Docker daemon log entry for image pull. Process creation event for 'wget' process spawned from container runtime (dockerd/containerd parent). Network connection attempt to 127.0.0.1:3333 generating Sysmon EventCode=3 or auditd network event. 'docker history' output shows image layer commands.
- Test 4AWS EC2 Instance Launch from Public Community AMI
Expected signal: AWS CloudTrail RunInstances event with eventName=RunInstances, requestParameters.instancesSet.items[0].imageId containing the public AMI ID, userIdentity fields showing the executing principal, awsRegion=us-east-1. Followed by StopInstances event.
- Test 5Container Environment Variable Credential Exposure Simulation
Expected signal: Process creation event with container spawning wget/curl with credential parameters visible in command line. Network connection attempt to exfil endpoint. Container inspect shows AWS_* environment variables in container configuration. Linux syslog shows process execution under dockerd parent.
References (10)
- https://attack.mitre.org/techniques/T1204/003/
- https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/
- https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf
- https://www.lacework.com/blog/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-masquerade/
- https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md
- https://sysdig.com/blog/teamtnt-docker-hub-cryptomining/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports
Unlock Pro Content
Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.