Detect Implant Internal Image in Microsoft Sentinel
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. AWS AMIs, GCP Images, Azure Images, and container registries such as ECR, ACR, and Docker Hub private registries can be backdoored. Unlike uploading malware to external infrastructure, this technique focuses on modifying or creating images within a victim's own cloud environment. If the infrastructure provisioning pipeline is configured to always pull the latest image, a backdoored image ensures persistent access to any newly spun-up instance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1525 Implant Internal Image
- Canonical reference
- https://attack.mitre.org/techniques/T1525/
KQL Detection Query
let AwsImageOps = dynamic([
"CreateImage", "RegisterImage", "CopyImage", "ImportImage",
"ModifyImageAttribute", "ImportSnapshot", "CreateSnapshot",
"PutImage", "BatchDeleteImage", "InitiateLayerUpload", "CompleteLayerUpload"
]);
let AzureImageOps = dynamic([
"microsoft.compute/images/write",
"microsoft.compute/galleries/images/versions/write",
"microsoft.containerregistry/registries/push/action",
"microsoft.containerregistry/registries/importimage/action",
"microsoft.compute/virtualmachines/capture/action"
]);
// AWS EC2 / ECR image operations ingested via AWS CloudTrail connector
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventSource in ("ec2.amazonaws.com", "ecr.amazonaws.com")
| where EventName in (AwsImageOps)
| extend ActorIdentity = UserIdentityArn
| extend ActorType = UserIdentityType
| extend SourceIP = SourceIpAddress
| extend IsRootActor = (UserIdentityType =~ "Root")
| extend IsExternalIP = (SourceIpAddress !startswith "10." and SourceIpAddress !startswith "192.168." and SourceIpAddress !startswith "172." and SourceIpAddress !startswith "fd" and SourceIpAddress != "AWS Internal")
| extend RequestedResource = tostring(parse_json(RequestParameters).name)
| project TimeGenerated, Platform="AWS", EventName, ActorIdentity, ActorType, SourceIP,
IsRootActor, IsExternalIP, RequestedResource, RequestParameters, UserAgent
| union (
// Azure Compute and Container Registry image operations
AzureActivity
| where TimeGenerated > ago(24h)
| where tolower(OperationNameValue) in (AzureImageOps)
| where ActivityStatusValue =~ "Succeeded"
| extend ActorIdentity = Caller
| extend SourceIP = CallerIpAddress
| extend IsExternalIP = (CallerIpAddress !startswith "10." and CallerIpAddress !startswith "192.168." and CallerIpAddress !startswith "172.")
| extend RequestedResource = tostring(parse_json(tostring(Properties)).resource)
| project TimeGenerated, Platform="Azure", EventName=OperationNameValue, ActorIdentity,
ActorType="AzureIdentity", SourceIP, IsRootActor=false, IsExternalIP,
RequestedResource, RequestParameters=tostring(Properties), UserAgent=""
)
| sort by TimeGenerated descDetects cloud and container image creation, modification, and push operations across AWS (EC2 AMIs, ECR) and Azure (Compute Images, Container Registry) using native cloud audit log connectors in Microsoft Sentinel. Monitors for CreateImage, RegisterImage, CopyImage, ImportImage, ModifyImageAttribute on EC2; PutImage, CompleteLayerUpload on ECR; and equivalent Azure Compute/ACR write operations. Flags activity from root/privileged accounts and external IP addresses as higher-risk. Requires the AWS CloudTrail connector and Azure Activity Log connector to be configured in Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
- Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
- Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
- Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
- Security teams creating forensic images from compromised instances as part of an incident response workflow
Other platforms for T1525
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS AMI Creation from Existing Instance
Expected signal: AWS CloudTrail event: EventName=CreateImage, EventSource=ec2.amazonaws.com. The event will include requestParameters with instanceId, name, and noReboot fields. A follow-up DescribeImages event will appear as the AMI status is checked. The actor's IAM ARN, source IP, and user agent (aws-cli) will be captured in UserIdentityArn, SourceIpAddress, and UserAgent fields.
- Test 2Docker Image Modification and Push to Local Registry
Expected signal: Docker daemon logs will record the build and push operations. If Docker events are forwarded to Splunk via a log shipper (Filebeat, Splunk UF), events will show image build and push with the image name and tag. In Kubernetes environments, admission controller logs (OPA, Kyverno) will record any attempt to run this image. Container runtime security tools (Falco, Sysdig) will generate events for the image push.
- Test 3AWS ECR Image Push with Modified Tag
Expected signal: AWS CloudTrail events: GetAuthorizationToken (ECR login), InitiateLayerUpload (begin push), UploadLayerPart (each image layer), CompleteLayerUpload (layer commit), and PutImage (finalize image with tag) — all with EventSource=ecr.amazonaws.com. All events include the actor IAM ARN, source IP, repository ARN, and user agent. The PutImage event includes imageManifest in requestParameters.
- Test 4Azure Container Registry Image Import
Expected signal: Azure Activity Log event: OperationName=microsoft.containerregistry/registries/importimage/action, ResourceType=Microsoft.ContainerRegistry/registries, ActivityStatus=Succeeded. Includes Caller (UPN or service principal), CallerIpAddress, and ResourceId. The Azure Monitor diagnostic logs for ACR will also record the image push with repository, tag, and digest details.
References (11)
- https://attack.mitre.org/techniques/T1525/
- https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
- https://github.com/RhinoSecurityLabs/ccat
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-push.html
- https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
- https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/amazon-web-services
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://sysdig.com/blog/container-image-scanning/
- https://falco.org/docs/rules/default-macros/
Unlock Pro Content
Get the full detection package for T1525 including response playbook, investigation guide, and atomic red team tests.