title: Malicious Image (T1204.003)
id: df00tech-t1204-003
status: experimental
description: "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment."
references:
  - https://attack.mitre.org/techniques/T1204/003/
  - https://df00tech.com/detections/T1204.003
author: df00tech
date: 2026/04/19
tags:
  - attack.t1204.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate GPU compute or rendering workloads using non-standard network ports that overlap with mining pool port ranges
  - Authorized red team or penetration testing exercises deploying containers or VMs with miner tooling under a formal engagement
  - "Internal benchmark and performance testing tools with process names similar to mining tools (e.g., t-rex, cgminer used for GPU stress testing)"
  - "DevOps data pipeline workers with names like 'ethminer' or 'cpuminer' used for internal job queue processing (not mining)"
  - "Legitimate third-party marketplace VM deployments for network appliances, security tools, or specialized workloads not from major known publishers"
level: high