Detect Malicious Image in Splunk
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.003 Malicious Image
- Canonical reference
- https://attack.mitre.org/techniques/T1204/003/
SPL Detection Query
index=* earliest=-24h
(
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image IN ("*\\xmrig.exe", "*\\xmrig-notls.exe", "*\\minerd.exe", "*\\cpuminer.exe",
"*\\nbminer.exe", "*\\t-rex.exe", "*\\lolminer.exe", "*\\ethminer.exe",
"*\\cgminer.exe", "*\\bfgminer.exe", "*\\phoenixminer.exe")
OR CommandLine IN ("*stratum+tcp*", "*stratum+ssl*", "*--donate-level*",
"*xmrpool*", "*supportxmr*", "*minexmr*", "*moneroocean*")))
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
(DestinationPort IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999))
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
OR DestinationIp="192.168.*" OR DestinationIp="127.*")
NOT Image IN ("*\\chrome.exe", "*\\firefox.exe", "*\\msedge.exe",
"*\\brave.exe", "*\\opera.exe", "*\\iexplore.exe"))
OR
(sourcetype="aws:cloudtrail" eventName="RunInstances")
OR
(sourcetype IN ("linux_secure", "syslog", "linux:syslog")
(process IN ("xmrig", "minerd", "cpuminer", "nbminer", "t-rex", "lolminer", "cgminer")
OR message IN ("*stratum+tcp*", "*stratum+ssl*", "*xmrig*", "*donate-level*")))
)
| eval DetectionBranch=case(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode="1", "MinerProcessExecution",
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode="3", "MiningPoolNetworkConnection",
sourcetype="aws:cloudtrail", "AWSInstanceLaunch",
sourcetype IN ("linux_secure", "syslog", "linux:syslog"), "LinuxMinerProcess",
true(), "Unknown"
)
| eval HostName=coalesce(host, "N/A")
| eval UserName=coalesce(User, 'userIdentity.userName', user, "N/A")
| eval ProcessImage=coalesce(Image, process, "N/A")
| eval CmdLine=coalesce(CommandLine, message, "N/A")
| eval DestPort=coalesce(DestinationPort, "N/A")
| eval DestIP=coalesce(DestinationIp, "N/A")
| eval ParentImage=coalesce(ParentImage, "N/A")
| spath input=requestParameters path=instancesSet.items{0}.imageId output=LaunchedAMIId
| eval LaunchedAMIId=coalesce(LaunchedAMIId, "N/A")
| eval AWSRegion=coalesce(awsRegion, "N/A")
| eval AWSAccount=coalesce(recipientAccountId, "N/A")
| table _time, DetectionBranch, HostName, UserName, ProcessImage, CmdLine,
ParentImage, DestIP, DestPort, LaunchedAMIId, AWSRegion, AWSAccount
| sort - _timeMulti-sourcetype detection for malicious image execution spanning Windows endpoints, Linux hosts, and AWS cloud infrastructure. Covers four detection branches: (1) Sysmon EventCode=1 process creation matching known cryptocurrency miner binary names and stratum protocol command-line arguments; (2) Sysmon EventCode=3 network connections to known mining pool port ranges from non-browser processes to non-RFC-1918 addresses; (3) AWS CloudTrail RunInstances events for EC2 instance launches, with AMI ID extracted via spath for analyst review; (4) Linux syslog/linux_secure process events matching miner process names or command-line patterns. Results are normalized and include the launched AMI ID for AWS events to enable rapid analyst triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate GPU compute or rendering workloads using non-standard network ports that overlap with mining pool port ranges
- Authorized red team or penetration testing exercises deploying containers or VMs with miner tooling
- Internal benchmark tools with process names similar to mining utilities
- AWS EC2 launches from shared AMIs used for legitimate specialized workloads (network virtual appliances, security scanners, BYOL software)
- Linux processes with mining-related names used for legitimate CPU benchmarking or performance validation in lab environments
Other platforms for T1204.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Executing Cryptocurrency Miner Process Name
Expected signal: Linux syslog or auditd process creation event showing process name 'xmrig' spawned under dockerd/containerd parent process. If Sysmon for Linux is deployed, EventCode=1 with Image containing 'xmrig' and ParentImage containing 'containerd-shim' or 'runc'. Docker daemon logs show container start/stop events.
- Test 2Simulate Mining Pool Network Connection Attempt
Expected signal: If Sysmon for Linux is deployed: EventCode=3 network connection event with Image=curl, DestinationPort=3333, DestinationHostname=pool.minexmr.com. DNS query EventCode=22 for pool.minexmr.com. On Windows equivalent: 'Test-NetConnection -ComputerName pool.minexmr.com -Port 3333' generates Sysmon EventCode=3.
- Test 3Pull and Inspect Publicly Known Malicious-Style Docker Image Name
Expected signal: Docker daemon log entry for image pull. Process creation event for 'wget' process spawned from container runtime (dockerd/containerd parent). Network connection attempt to 127.0.0.1:3333 generating Sysmon EventCode=3 or auditd network event. 'docker history' output shows image layer commands.
- Test 4AWS EC2 Instance Launch from Public Community AMI
Expected signal: AWS CloudTrail RunInstances event with eventName=RunInstances, requestParameters.instancesSet.items[0].imageId containing the public AMI ID, userIdentity fields showing the executing principal, awsRegion=us-east-1. Followed by StopInstances event.
- Test 5Container Environment Variable Credential Exposure Simulation
Expected signal: Process creation event with container spawning wget/curl with credential parameters visible in command line. Network connection attempt to exfil endpoint. Container inspect shows AWS_* environment variables in container configuration. Linux syslog shows process execution under dockerd parent.
References (10)
- https://attack.mitre.org/techniques/T1204/003/
- https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/
- https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf
- https://www.lacework.com/blog/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-masquerade/
- https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md
- https://sysdig.com/blog/teamtnt-docker-hub-cryptomining/
- https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports
Unlock Pro Content
Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.