Detect Implant Internal Image in Splunk
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. AWS AMIs, GCP Images, Azure Images, and container registries such as ECR, ACR, and Docker Hub private registries can be backdoored. Unlike uploading malware to external infrastructure, this technique focuses on modifying or creating images within a victim's own cloud environment. If the infrastructure provisioning pipeline is configured to always pull the latest image, a backdoored image ensures persistent access to any newly spun-up instance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1525 Implant Internal Image
- Canonical reference
- https://attack.mitre.org/techniques/T1525/
SPL Detection Query
index=main (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity")
| eval Platform=case(
sourcetype=="aws:cloudtrail", "AWS",
sourcetype=="azure:activity", "Azure",
true(), "Unknown"
)
| eval EventOp=case(
Platform=="AWS", eventName,
Platform=="Azure", operationName,
true(), "unknown"
)
| where (
Platform=="AWS" AND (
EventOp="CreateImage" OR EventOp="RegisterImage" OR EventOp="CopyImage" OR
EventOp="ImportImage" OR EventOp="ModifyImageAttribute" OR EventOp="ImportSnapshot" OR
EventOp="PutImage" OR EventOp="CompleteLayerUpload" OR EventOp="InitiateLayerUpload"
)
) OR (
Platform=="Azure" AND (
match(lower(EventOp), "microsoft\.compute/(images|galleries)") OR
match(lower(EventOp), "microsoft\.containerregistry/registries/(push|importimage)") OR
match(lower(EventOp), "microsoft\.compute/virtualmachines/capture")
)
)
| eval ActorUser=case(
Platform=="AWS", 'userIdentity.arn',
Platform=="Azure", caller,
true(), "unknown"
)
| eval ActorType=case(
Platform=="AWS", 'userIdentity.type',
Platform=="Azure", "AzureIdentity",
true(), "unknown"
)
| eval SourceIP=case(
Platform=="AWS", sourceIPAddress,
Platform=="Azure", callerIpAddress,
true(), "unknown"
)
| eval IsExternalIP=if(
match(SourceIP, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)|(^fd)|(^AWS Internal)"),
0, 1
)
| eval IsRootOrAdmin=if(
(Platform=="AWS" AND ActorType="Root") OR
match(lower(ActorUser), "(root|admin|administrator)"),
1, 0
)
| eval RiskScore=IsExternalIP + IsRootOrAdmin
| table _time, Platform, EventOp, ActorUser, ActorType, SourceIP, IsExternalIP, IsRootOrAdmin, RiskScore
| sort - _timeDetects cloud image implanting activity across AWS (CloudTrail) and Azure (Activity Log) by monitoring for EC2 AMI creation and modification events, ECR image push/layer upload events, and Azure Compute Image / Container Registry write operations. Assigns a risk score based on whether the source IP is external to RFC-1918 space and whether the actor is a root or admin account. Requires aws:cloudtrail and azure:activity sourcetypes to be ingested into Splunk.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated CI/CD pipelines (Jenkins, GitHub Actions, CircleCI) performing image builds and pushes as part of software delivery workflows
- Cloud administrators creating AMI snapshots for backup, recovery, or compliance archiving purposes
- DevOps teams refreshing base images via infrastructure-as-code automation (Terraform, Ansible, Packer)
- Container registry sync jobs mirroring approved public images into internal private registries
- Security incident responders capturing forensic images from suspected compromised instances
Other platforms for T1525
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS AMI Creation from Existing Instance
Expected signal: AWS CloudTrail event: EventName=CreateImage, EventSource=ec2.amazonaws.com. The event will include requestParameters with instanceId, name, and noReboot fields. A follow-up DescribeImages event will appear as the AMI status is checked. The actor's IAM ARN, source IP, and user agent (aws-cli) will be captured in UserIdentityArn, SourceIpAddress, and UserAgent fields.
- Test 2Docker Image Modification and Push to Local Registry
Expected signal: Docker daemon logs will record the build and push operations. If Docker events are forwarded to Splunk via a log shipper (Filebeat, Splunk UF), events will show image build and push with the image name and tag. In Kubernetes environments, admission controller logs (OPA, Kyverno) will record any attempt to run this image. Container runtime security tools (Falco, Sysdig) will generate events for the image push.
- Test 3AWS ECR Image Push with Modified Tag
Expected signal: AWS CloudTrail events: GetAuthorizationToken (ECR login), InitiateLayerUpload (begin push), UploadLayerPart (each image layer), CompleteLayerUpload (layer commit), and PutImage (finalize image with tag) — all with EventSource=ecr.amazonaws.com. All events include the actor IAM ARN, source IP, repository ARN, and user agent. The PutImage event includes imageManifest in requestParameters.
- Test 4Azure Container Registry Image Import
Expected signal: Azure Activity Log event: OperationName=microsoft.containerregistry/registries/importimage/action, ResourceType=Microsoft.ContainerRegistry/registries, ActivityStatus=Succeeded. Includes Caller (UPN or service principal), CallerIpAddress, and ResourceId. The Azure Monitor diagnostic logs for ACR will also record the image push with repository, tag, and digest details.
References (11)
- https://attack.mitre.org/techniques/T1525/
- https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
- https://github.com/RhinoSecurityLabs/ccat
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-push.html
- https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
- https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/amazon-web-services
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://sysdig.com/blog/container-image-scanning/
- https://falco.org/docs/rules/default-macros/
Unlock Pro Content
Get the full detection package for T1525 including response playbook, investigation guide, and atomic red team tests.