T1204.003 IBM QRadar · QRadar

Detect Malicious Image in IBM QRadar

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.003 Malicious Image
Canonical reference
https://attack.mitre.org/techniques/T1204/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  destinationip AS DestIP,
  destinationport AS DestPort,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN "Process Name" ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%nbminer%','%t-rex%','%lolminer%','%ethminer%','%cgminer%','%bfgminer%','%phoenixminer%','%teamtntbot%') THEN 'MinerProcessExecution'
    WHEN destinationport IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999) THEN 'MiningPoolNetworkConnection'
    WHEN "Command" ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%donate-level%','%xmrpool%','%supportxmr%','%minexmr%','%moneroocean%','%hashvault%','%nanopool%') THEN 'MinerCommandLineArgs'
    WHEN LOGSOURCETYPEID(logsourceid) = 347 AND QIDNAME(qid) ILIKE '%RunInstances%' THEN 'AWSInstanceLaunch'
    ELSE 'Unknown'
  END AS DetectionBranch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 347, 433)
  AND devicetime > (NOW() - 86400000)
  AND (
    "Process Name" ILIKE ANY ('%xmrig%','%xmrig-notls%','%minerd%','%cpuminer%','%nbminer%','%t-rex%','%lolminer%','%ethminer%','%cgminer%','%bfgminer%','%phoenixminer%','%teamtntbot%','%cryptonight%')
    OR "Command" ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%--donate-level%','%xmrpool%','%supportxmr%','%minexmr%','%moneroocean%','%hashvault%','%nanopool%')
    OR (
      destinationport IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999)
      AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%' OR destinationip ILIKE '192.168.%' OR destinationip ILIKE '127.%')
      AND "Process Name" NOT ILIKE ANY ('%firefox%','%chrome%','%msedge%','%brave%','%opera%','%iexplore%')
    )
    OR (LOGSOURCETYPEID(logsourceid) = 347 AND QIDNAME(qid) ILIKE '%RunInstances%')
  )
ORDER BY devicetime DESC
LIMIT 1000
high severity medium confidence

QRadar AQL detection for T1204.003 covering three branches: miner process execution by image name, command-line arguments referencing mining pool stratum protocols or pool addresses, and outbound connections to known mining pool ports from non-browser processes. Also captures AWS RunInstances events via CloudTrail log source type 347 for cloud image deployment detection.

Data Sources

IBM QRadar SIEMWindows Security Event Log (LOGSOURCETYPEID 12)Sysmon via QRadar DSMAWS CloudTrail (LOGSOURCETYPEID 347)Linux OS Logs (LOGSOURCETYPEID 433)

Required Tables

events

False Positives & Tuning

  • Authorized cryptocurrency mining operations where the organization has deployed mining software as part of a legitimate business activity
  • AWS CI/CD pipelines that frequently launch EC2 instances from custom AMIs that may not match well-known publisher patterns, triggering RunInstances detections
  • Penetration testing engagements where testers execute miner binaries as part of post-exploitation simulation to validate endpoint detection capabilities
Download portable Sigma rule (.yml)

Other platforms for T1204.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Executing Cryptocurrency Miner Process Name

    Expected signal: Linux syslog or auditd process creation event showing process name 'xmrig' spawned under dockerd/containerd parent process. If Sysmon for Linux is deployed, EventCode=1 with Image containing 'xmrig' and ParentImage containing 'containerd-shim' or 'runc'. Docker daemon logs show container start/stop events.

  2. Test 2Simulate Mining Pool Network Connection Attempt

    Expected signal: If Sysmon for Linux is deployed: EventCode=3 network connection event with Image=curl, DestinationPort=3333, DestinationHostname=pool.minexmr.com. DNS query EventCode=22 for pool.minexmr.com. On Windows equivalent: 'Test-NetConnection -ComputerName pool.minexmr.com -Port 3333' generates Sysmon EventCode=3.

  3. Test 3Pull and Inspect Publicly Known Malicious-Style Docker Image Name

    Expected signal: Docker daemon log entry for image pull. Process creation event for 'wget' process spawned from container runtime (dockerd/containerd parent). Network connection attempt to 127.0.0.1:3333 generating Sysmon EventCode=3 or auditd network event. 'docker history' output shows image layer commands.

  4. Test 4AWS EC2 Instance Launch from Public Community AMI

    Expected signal: AWS CloudTrail RunInstances event with eventName=RunInstances, requestParameters.instancesSet.items[0].imageId containing the public AMI ID, userIdentity fields showing the executing principal, awsRegion=us-east-1. Followed by StopInstances event.

  5. Test 5Container Environment Variable Credential Exposure Simulation

    Expected signal: Process creation event with container spawning wget/curl with credential parameters visible in command line. Network connection attempt to exfil endpoint. Container inspect shows AWS_* environment variables in container configuration. Linux syslog shows process execution under dockerd parent.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.004Malicious Copy and PasteT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1204.001Malicious LinkT1204.002Malicious FileT1608.001Upload MalwareT1036.005Match Legitimate Resource Name or LocationT1525Implant Internal ImageT1610Deploy ContainerT1496Resource HijackingT1552.007Container API

Same Tactic: Execution

Popular Detections