title: Implant Internal Image (T1525)
id: df00tech-t1525
status: experimental
description: "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. AWS AMIs, GCP Images, Azure Images, and container registries such as ECR, ACR, and Docker Hub private registries can be backdoored. Unlike uploading malware to external infrastructure, this technique focuses on modifying or creating images within a victim's own cloud environment. If the infrastructure provisioning pipeline is configured to always pull the latest image, a backdoored image ensures persistent access to any newly spun-up instance."
references:
  - https://attack.mitre.org/techniques/T1525/
  - https://df00tech.com/detections/T1525
author: df00tech
date: 2026/03/15
tags:
  - attack.t1525
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "CI/CD pipeline automation creating golden AMIs or base container images as part of a legitimate image build and push workflow (e.g., Packer, GitHub Actions, Jenkins pipelines)"
  - "Cloud operations engineers capturing VM images for disaster recovery, golden image refresh, or compliance-mandated snapshots"
  - "Infrastructure-as-code tools (Terraform, Pulumi, CDK) creating or modifying images during automated provisioning runs"
  - Container registry mirroring jobs that replicate approved public images into an internal private registry for air-gapped or compliance use
  - Security teams creating forensic images from compromised instances as part of an incident response workflow
level: high