Image Creation

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:

Azure Compute Service Image Creation
- Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM
AWS EC2 AMI (Amazon Machine Image) Creation
- Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
Google Cloud Compute Engine Image Creation
- Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
VMware vSphere
- Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.

ID: DC0015

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
AWS:CloudTrail	RegisterImage
containerd:events	Image pull from untrusted registry (name NOT IN allowlist) or new digest never seen before
docker:daemon	docker build or docker commit commands followed by docker push to internal registry
docker:daemon	docker build or POST /build API request
kubernetes:apiserver	Pod spec triggering build or custom controller activity invoking image builds
kubernetes:audit	create

Detection Strategy

ID	Name	Technique Detected
DET0459	Detection Strategy for Build Image on Host	T1612
DET0334	Detection Strategy for T1525 – Implant Internal Image	T1525
DET0248	User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)	T1204.003