Detect Malicious Image in Elastic Security
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.003 Malicious Image
- Canonical reference
- https://attack.mitre.org/techniques/T1204/003/
Elastic Detection Query
sequence by host.name with maxspan=5m
[
any where event.category == "process" and event.type == "start"
and (
process.name in ("xmrig", "xmrig-notls", "minerd", "cpuminer", "cryptonight", "nbminer", "t-rex", "lolminer", "ethminer", "cgminer", "bfgminer", "claymore", "phoenixminer", "teamtntbot")
or process.args : ("stratum+tcp://*", "stratum+ssl://*", "--donate-level", "-o pool.*", "*xmrpool*", "*supportxmr*", "*minexmr*", "*moneroocean*", "*hashvault*", "*nanopool*")
)
] by process.entity_id
nor
any where event.category == "network" and event.type == "connection"
and destination.port in (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999)
and not destination.ip : ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
and not process.name in ("firefox.exe", "chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe")
nor
any where event.category == "network" and event.type == "connection"
and dns.question.name in (
"minexmr.com", "supportxmr.com", "nanopool.org", "f2pool.com",
"antpool.com", "pool.minergate.com", "xmrpool.eu", "hashvault.pro",
"moneroocean.stream", "xmr.pool"
)Detects malicious image execution indicators: cryptocurrency miner processes by name or command-line arguments referencing mining pools, outbound connections to known mining pool ports and domains, and DNS queries to mining pool infrastructure. Covers T1204.003 by correlating process execution with network behavior indicative of containerized or VM-deployed miners.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cryptocurrency mining software installed by the system owner on personal or dedicated mining hardware
- Security research environments running miner samples in sandboxes for analysis or testing detection fidelity
- Developers building or testing cryptocurrency-related software who run miner binaries locally with mining pool arguments
Other platforms for T1204.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Executing Cryptocurrency Miner Process Name
Expected signal: Linux syslog or auditd process creation event showing process name 'xmrig' spawned under dockerd/containerd parent process. If Sysmon for Linux is deployed, EventCode=1 with Image containing 'xmrig' and ParentImage containing 'containerd-shim' or 'runc'. Docker daemon logs show container start/stop events.
- Test 2Simulate Mining Pool Network Connection Attempt
Expected signal: If Sysmon for Linux is deployed: EventCode=3 network connection event with Image=curl, DestinationPort=3333, DestinationHostname=pool.minexmr.com. DNS query EventCode=22 for pool.minexmr.com. On Windows equivalent: 'Test-NetConnection -ComputerName pool.minexmr.com -Port 3333' generates Sysmon EventCode=3.
- Test 3Pull and Inspect Publicly Known Malicious-Style Docker Image Name
Expected signal: Docker daemon log entry for image pull. Process creation event for 'wget' process spawned from container runtime (dockerd/containerd parent). Network connection attempt to 127.0.0.1:3333 generating Sysmon EventCode=3 or auditd network event. 'docker history' output shows image layer commands.
- Test 4AWS EC2 Instance Launch from Public Community AMI
Expected signal: AWS CloudTrail RunInstances event with eventName=RunInstances, requestParameters.instancesSet.items[0].imageId containing the public AMI ID, userIdentity fields showing the executing principal, awsRegion=us-east-1. Followed by StopInstances event.
- Test 5Container Environment Variable Credential Exposure Simulation
Expected signal: Process creation event with container spawning wget/curl with credential parameters visible in command line. Network connection attempt to exfil endpoint. Container inspect shows AWS_* environment variables in container configuration. Linux syslog shows process execution under dockerd parent.
References (10)
- https://attack.mitre.org/techniques/T1204/003/
- https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/
- https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf
- https://www.lacework.com/blog/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-masquerade/
- https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md
- https://sysdig.com/blog/teamtnt-docker-hub-cryptomining/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports
Unlock Pro Content
Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.