Image

A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment[1][2]

ID: DS0007
Platform: IaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Image: Image Creation

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:

  • Azure Compute Service Image Creation
    • Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM
  • AWS EC2 AMI (Amazon Machine Image) Creation
    • Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
  • Google Cloud Compute Engine Image Creation
    • Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
  • VMware vSphere
    • Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor CreateImage API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the creation of new images using:
    • AWS SDK/CLI CreateImage.
    • Azure REST API for image creation.
    • Google Cloud Compute Engine APIs.

Cloud SIEM Integration

  • Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.

Image: Image Creation

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:

  • Azure Compute Service Image Creation
    • Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM
  • AWS EC2 AMI (Amazon Machine Image) Creation
    • Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
  • Google Cloud Compute Engine Image Creation
    • Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
  • VMware vSphere
    • Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor CreateImage API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the creation of new images using:
    • AWS SDK/CLI CreateImage.
    • Azure REST API for image creation.
    • Google Cloud Compute Engine APIs.

Cloud SIEM Integration

  • Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.
Domain ID Name Detects
Enterprise T1612 Build Image on Host

Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment.

Enterprise T1525 Implant Internal Image

Monitor interactions with images and containers by users to identify ones that are added anomalously.

Enterprise T1204 User Execution

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.003 Malicious Image

Monitor the local image registry to make sure malicious images are not added.

Image: Image Deletion

Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:

  • Azure Compute Service Image Deletion
    • Example: Deleting a virtual machine image using Azure CLI: az image delete --name MyImage --resource-group MyResourceGroup
  • AWS EC2 AMI (Amazon Machine Image) Deletion
    • Example: Deregistering an AMI in AWS: aws ec2 deregister-image --image-id ami-1234567890abcdef0
  • Google Cloud Compute Engine Image Deletion
    • Example: Deleting a custom image in Google Cloud: gcloud compute images delete my-custom-image
  • VMware vSphere
    • Example: Deleting a VM image/template from a vSphere environment:

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture DELETE requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor DeregisterImage or DeleteSnapshot API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track image deletion events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the deletion of images using:
    • AWS SDK/CLI DeregisterImage or DeleteSnapshot.
    • Azure REST API DELETE operations for images.
    • Google Cloud Compute Engine APIs for image deletion.

Cloud SIEM Integration

  • Ingest logs into a centralized SIEM platform for monitoring and alerting:

Event Correlation

  • Correlate image deletion events with unusual account activity or concurrent unauthorized operations.

Image: Image Deletion

Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:

  • Azure Compute Service Image Deletion
    • Example: Deleting a virtual machine image using Azure CLI: az image delete --name MyImage --resource-group MyResourceGroup
  • AWS EC2 AMI (Amazon Machine Image) Deletion
    • Example: Deregistering an AMI in AWS: aws ec2 deregister-image --image-id ami-1234567890abcdef0
  • Google Cloud Compute Engine Image Deletion
    • Example: Deleting a custom image in Google Cloud: gcloud compute images delete my-custom-image
  • VMware vSphere
    • Example: Deleting a VM image/template from a vSphere environment:

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture DELETE requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor DeregisterImage or DeleteSnapshot API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track image deletion events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the deletion of images using:
    • AWS SDK/CLI DeregisterImage or DeleteSnapshot.
    • Azure REST API DELETE operations for images.
    • Google Cloud Compute Engine APIs for image deletion.

Cloud SIEM Integration

  • Ingest logs into a centralized SIEM platform for monitoring and alerting:

Event Correlation

  • Correlate image deletion events with unusual account activity or concurrent unauthorized operations.
Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a virtual machine image (ex: Azure Compute Service Images DELETE)

Image: Image Metadata

contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:

  • Azure Compute Service Image Metadata Example:
    • Name: MyCustomImage
    • Resource Group: MyResourceGroup
    • State: Available
    • Type: Managed Image
  • AWS EC2 AMI Metadata Example:
    • Image ID: ami-1234567890abcdef0
    • Name: ProdImage
    • State: Available
    • Platform: Windows
  • Google Cloud Compute Engine Image Metadata Example:
    • Image Name: webserver-image
    • Project: my-project-id
    • Family: webserver
    • Source Disk: my-disk-id
  • VMware vSphere Template Metadata Example:
    • Name: LinuxTemplate
    • Disk Size: 40GB
    • Network Adapter: VM Network

This data component can be collected through the following measures:

Cloud Platform-Specific Tools

  • Azure:
    • Use Azure CLI to query metadata: az image show --name MyCustomImage --resource-group MyResourceGroup
  • AWS:
    • Use AWS CLI to describe AMI metadata: aws ec2 describe-images --image-ids ami-1234567890abcdef0
  • Google Cloud:
    • Use Google Cloud SDK to retrieve image metadata: gcloud compute images describe webserver-image

APIs

  • Azure: GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}
  • AWS: DescribeImages API.
  • Google Cloud: GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.

Cloud Management Portals

  • View metadata directly from the cloud provider's management console or dashboard.

SIEM Integration

  • Aggregate metadata into SIEM platforms for centralized monitoring:

Image: Image Metadata

contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:

  • Azure Compute Service Image Metadata Example:
    • Name: MyCustomImage
    • Resource Group: MyResourceGroup
    • State: Available
    • Type: Managed Image
  • AWS EC2 AMI Metadata Example:
    • Image ID: ami-1234567890abcdef0
    • Name: ProdImage
    • State: Available
    • Platform: Windows
  • Google Cloud Compute Engine Image Metadata Example:
    • Image Name: webserver-image
    • Project: my-project-id
    • Family: webserver
    • Source Disk: my-disk-id
  • VMware vSphere Template Metadata Example:
    • Name: LinuxTemplate
    • Disk Size: 40GB
    • Network Adapter: VM Network

This data component can be collected through the following measures:

Cloud Platform-Specific Tools

  • Azure:
    • Use Azure CLI to query metadata: az image show --name MyCustomImage --resource-group MyResourceGroup
  • AWS:
    • Use AWS CLI to describe AMI metadata: aws ec2 describe-images --image-ids ami-1234567890abcdef0
  • Google Cloud:
    • Use Google Cloud SDK to retrieve image metadata: gcloud compute images describe webserver-image

APIs

  • Azure: GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}
  • AWS: DescribeImages API.
  • Google Cloud: GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.

Cloud Management Portals

  • View metadata directly from the cloud provider's management console or dashboard.

SIEM Integration

  • Aggregate metadata into SIEM platforms for centralized monitoring:
Domain ID Name Detects
Enterprise T1564 .006 Hide Artifacts: Run Virtual Instance

Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[3] Network adapter information may also be helpful in detecting the use of virtual instances.

Enterprise T1525 Implant Internal Image

Periodically baseline virtual machine images to identify malicious modifications or additions.

Enterprise T1036 Masquerading

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [4]

.005 Match Legitimate Resource Name or Location

In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[5] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

Image: Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Image: Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Domain ID Name Detects
Enterprise T1525 Implant Internal Image

Monitor interactions with images and containers by users to identify ones that are modified anomalously.In containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration.

References