T1525 Implant Internal Image Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AwsImageOps = dynamic([
  "CreateImage", "RegisterImage", "CopyImage", "ImportImage",
  "ModifyImageAttribute", "ImportSnapshot", "CreateSnapshot",
  "PutImage", "BatchDeleteImage", "InitiateLayerUpload", "CompleteLayerUpload"
]);
let AzureImageOps = dynamic([
  "microsoft.compute/images/write",
  "microsoft.compute/galleries/images/versions/write",
  "microsoft.containerregistry/registries/push/action",
  "microsoft.containerregistry/registries/importimage/action",
  "microsoft.compute/virtualmachines/capture/action"
]);
// AWS EC2 / ECR image operations ingested via AWS CloudTrail connector
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventSource in ("ec2.amazonaws.com", "ecr.amazonaws.com")
| where EventName in (AwsImageOps)
| extend ActorIdentity = UserIdentityArn
| extend ActorType = UserIdentityType
| extend SourceIP = SourceIpAddress
| extend IsRootActor = (UserIdentityType =~ "Root")
| extend IsExternalIP = (SourceIpAddress !startswith "10." and SourceIpAddress !startswith "192.168." and SourceIpAddress !startswith "172." and SourceIpAddress !startswith "fd" and SourceIpAddress != "AWS Internal")
| extend RequestedResource = tostring(parse_json(RequestParameters).name)
| project TimeGenerated, Platform="AWS", EventName, ActorIdentity, ActorType, SourceIP,
         IsRootActor, IsExternalIP, RequestedResource, RequestParameters, UserAgent
| union (
  // Azure Compute and Container Registry image operations
  AzureActivity
  | where TimeGenerated > ago(24h)
  | where tolower(OperationNameValue) in (AzureImageOps)
  | where ActivityStatusValue =~ "Succeeded"
  | extend ActorIdentity = Caller
  | extend SourceIP = CallerIpAddress
  | extend IsExternalIP = (CallerIpAddress !startswith "10." and CallerIpAddress !startswith "192.168." and CallerIpAddress !startswith "172.")
  | extend RequestedResource = tostring(parse_json(tostring(Properties)).resource)
  | project TimeGenerated, Platform="Azure", EventName=OperationNameValue, ActorIdentity,
           ActorType="AzureIdentity", SourceIP, IsRootActor=false, IsExternalIP,
           RequestedResource, RequestParameters=tostring(Properties), UserAgent=""
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud: Cloud Service Modification AWS CloudTrail Azure Activity Log Cloud: Cloud Storage Object Modification

Required Tables

AWSCloudTrail AzureActivity

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

Splunk

spl

index=main (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity")
| eval Platform=case(
    sourcetype=="aws:cloudtrail", "AWS",
    sourcetype=="azure:activity", "Azure",
    true(), "Unknown"
  )
| eval EventOp=case(
    Platform=="AWS", eventName,
    Platform=="Azure", operationName,
    true(), "unknown"
  )
| where (
    Platform=="AWS" AND (
      EventOp="CreateImage" OR EventOp="RegisterImage" OR EventOp="CopyImage" OR
      EventOp="ImportImage" OR EventOp="ModifyImageAttribute" OR EventOp="ImportSnapshot" OR
      EventOp="PutImage" OR EventOp="CompleteLayerUpload" OR EventOp="InitiateLayerUpload"
    )
  ) OR (
    Platform=="Azure" AND (
      match(lower(EventOp), "microsoft\.compute/(images|galleries)") OR
      match(lower(EventOp), "microsoft\.containerregistry/registries/(push|importimage)") OR
      match(lower(EventOp), "microsoft\.compute/virtualmachines/capture")
    )
  )
| eval ActorUser=case(
    Platform=="AWS", 'userIdentity.arn',
    Platform=="Azure", caller,
    true(), "unknown"
  )
| eval ActorType=case(
    Platform=="AWS", 'userIdentity.type',
    Platform=="Azure", "AzureIdentity",
    true(), "unknown"
  )
| eval SourceIP=case(
    Platform=="AWS", sourceIPAddress,
    Platform=="Azure", callerIpAddress,
    true(), "unknown"
  )
| eval IsExternalIP=if(
    match(SourceIP, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)|(^fd)|(^AWS Internal)"),
    0, 1
  )
| eval IsRootOrAdmin=if(
    (Platform=="AWS" AND ActorType="Root") OR
    match(lower(ActorUser), "(root|admin|administrator)"),
    1, 0
  )
| eval RiskScore=IsExternalIP + IsRootOrAdmin
| table _time, Platform, EventOp, ActorUser, ActorType, SourceIP, IsExternalIP, IsRootOrAdmin, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Cloud: Cloud Service Modification AWS CloudTrail Azure Activity Log

Required Sourcetypes

aws:cloudtrail azure:activity

False Positives

Automated CI/CD pipelines (Jenkins, GitHub Actions, CircleCI) performing image builds and pushes as part of software delivery workflows
Cloud administrators creating AMI snapshots for backup, recovery, or compliance archiving purposes
DevOps teams refreshing base images via infrastructure-as-code automation (Terraform, Ansible, Packer)
Container registry sync jobs mirroring approved public images into internal private registries
Security incident responders capturing forensic images from suspected compromised instances

Elastic Security (EQL)

eql

any where event.dataset in ("aws.cloudtrail","azure.activitylogs") and
  (
    (cloud.provider == "aws" and event.action : ("CreateImage","RegisterImage","CopyImage","ImportImage",
      "ModifyImageAttribute","PutImage","CompleteLayerUpload","InitiateLayerUpload")) or
    (cloud.provider == "azure" and event.action : (
      "microsoft.compute/images/write",
      "microsoft.containerregistry/registries/push/action",
      "microsoft.compute/virtualmachines/capture/action"))
  )

high severity medium confidence

Data Sources

AWS CloudTrail via Elastic integration Azure Activity Logs via Elastic integration

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-*

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "userIdentity_arn" as ActorArn, "sourceIPAddress" as SourceIP,
  "eventName" as EventName, "eventSource" as EventSource,
  CASE WHEN "userIdentity_type" = 'Root' THEN 10
       WHEN "sourceIPAddress" NOT LIKE '10.%' AND "sourceIPAddress" NOT LIKE '192.168.%'
            AND "sourceIPAddress" != 'AWS Internal' THEN 7
       ELSE 4 END as RiskScore
FROM events
WHERE category = 'aws_cloudtrail'
  AND "eventName" IN ('CreateImage','RegisterImage','CopyImage','ImportImage',
                       'ModifyImageAttribute','PutImage','CompleteLayerUpload','InitiateLayerUpload')
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

AWS CloudTrail via QRadar DSM

Required Tables

events

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

Sumo Logic CSE

sql

(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activity)
| json auto
| eval Platform = if(_sourceCategory matches "aws*", "AWS", "Azure")
| eval EventOp = if(Platform == "AWS", eventName, operationName)
| where (Platform == "AWS" AND EventOp in ("CreateImage","RegisterImage","CopyImage","ImportImage",
    "ModifyImageAttribute","PutImage","CompleteLayerUpload","InitiateLayerUpload"))
  OR (Platform == "Azure" AND (EventOp matches "(?i)microsoft.compute/(images|virtualmachines/capture)"
    OR EventOp matches "(?i)microsoft.containerregistry/registries/(push|importimage)"))
| eval SourceIP = if(Platform == "AWS", sourceIPAddress, callerIpAddress)
| eval Actor = if(Platform == "AWS", userIdentityArn, caller)
| eval IsExternal = if(!SourceIP matches "^(10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|AWS Internal)", 1, 0)
| table _time, Platform, EventOp, Actor, SourceIP, IsExternal
| sort by _time desc

high severity medium confidence

Data Sources

AWS CloudTrail via Sumo Logic Azure Activity Logs via Sumo Logic

Required Tables

aws/cloudtrail azure/activity

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

Google Chronicle / SecOps

yaral

rule cloud_image_implant {
  meta:
    author = "Detection Engineering"
    description = "Detects cloud image creation and modification (T1525)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "RESOURCE_CREATION"
    $e.metadata.vendor_name = "AMAZON" or $e.metadata.vendor_name = "MICROSOFT"
    (
      $e.metadata.product_event_type = /CreateImage|RegisterImage|CopyImage|ImportImage|PutImage|CompleteLayerUpload/ nocase or
      $e.target.resource.name = /images\/write|registries\/push/ nocase
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

AWS CloudTrail UDM Events Azure Activity UDM Events

Required Tables

RESOURCE_CREATION

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudApiCall"
| CloudApiAction = /CreateImage|RegisterImage|CopyImage|ImportImage|PutImage|CompleteLayerUpload/i
| eval risk_level = case {
    CloudApiUserType = "Root" : "critical";
    ExternalIP != "" AND ExternalIP != null : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, CloudApiAction, CloudApiService, ExternalIP, risk_level
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Cloud Security Events

Required Tables

CloudApiCall

False Positives

CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
Security teams creating forensic images from compromised instances as part of an incident response workflow

Implant Internal Image

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections