Detect Implant Internal Image in Sumo Logic CSE
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. AWS AMIs, GCP Images, Azure Images, and container registries such as ECR, ACR, and Docker Hub private registries can be backdoored. Unlike uploading malware to external infrastructure, this technique focuses on modifying or creating images within a victim's own cloud environment. If the infrastructure provisioning pipeline is configured to always pull the latest image, a backdoored image ensures persistent access to any newly spun-up instance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1525 Implant Internal Image
- Canonical reference
- https://attack.mitre.org/techniques/T1525/
Sumo Detection Query
(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activity)
| json auto
| eval Platform = if(_sourceCategory matches "aws*", "AWS", "Azure")
| eval EventOp = if(Platform == "AWS", eventName, operationName)
| where (Platform == "AWS" AND EventOp in ("CreateImage","RegisterImage","CopyImage","ImportImage",
"ModifyImageAttribute","PutImage","CompleteLayerUpload","InitiateLayerUpload"))
OR (Platform == "Azure" AND (EventOp matches "(?i)microsoft.compute/(images|virtualmachines/capture)"
OR EventOp matches "(?i)microsoft.containerregistry/registries/(push|importimage)"))
| eval SourceIP = if(Platform == "AWS", sourceIPAddress, callerIpAddress)
| eval Actor = if(Platform == "AWS", userIdentityArn, caller)
| eval IsExternal = if(!SourceIP matches "^(10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|AWS Internal)", 1, 0)
| table _time, Platform, EventOp, Actor, SourceIP, IsExternal
| sort by _time descDetects cloud image implanting activity across AWS and Azure in Sumo Logic.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)
- Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots
- Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs
- Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
- Security teams creating forensic images from compromised instances as part of an incident response workflow
Other platforms for T1525
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS AMI Creation from Existing Instance
Expected signal: AWS CloudTrail event: EventName=CreateImage, EventSource=ec2.amazonaws.com. The event will include requestParameters with instanceId, name, and noReboot fields. A follow-up DescribeImages event will appear as the AMI status is checked. The actor's IAM ARN, source IP, and user agent (aws-cli) will be captured in UserIdentityArn, SourceIpAddress, and UserAgent fields.
- Test 2Docker Image Modification and Push to Local Registry
Expected signal: Docker daemon logs will record the build and push operations. If Docker events are forwarded to Splunk via a log shipper (Filebeat, Splunk UF), events will show image build and push with the image name and tag. In Kubernetes environments, admission controller logs (OPA, Kyverno) will record any attempt to run this image. Container runtime security tools (Falco, Sysdig) will generate events for the image push.
- Test 3AWS ECR Image Push with Modified Tag
Expected signal: AWS CloudTrail events: GetAuthorizationToken (ECR login), InitiateLayerUpload (begin push), UploadLayerPart (each image layer), CompleteLayerUpload (layer commit), and PutImage (finalize image with tag) — all with EventSource=ecr.amazonaws.com. All events include the actor IAM ARN, source IP, repository ARN, and user agent. The PutImage event includes imageManifest in requestParameters.
- Test 4Azure Container Registry Image Import
Expected signal: Azure Activity Log event: OperationName=microsoft.containerregistry/registries/importimage/action, ResourceType=Microsoft.ContainerRegistry/registries, ActivityStatus=Succeeded. Includes Caller (UPN or service principal), CallerIpAddress, and ResourceId. The Azure Monitor diagnostic logs for ACR will also record the image push with repository, tag, and digest details.
References (11)
- https://attack.mitre.org/techniques/T1525/
- https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
- https://github.com/RhinoSecurityLabs/ccat
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-push.html
- https://docs.microsoft.com/en-us/azure/container-registry/container-registry-intro
- https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/amazon-web-services
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://sysdig.com/blog/container-image-scanning/
- https://falco.org/docs/rules/default-macros/
Unlock Pro Content
Get the full detection package for T1525 including response playbook, investigation guide, and atomic red team tests.