Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:
az image create --resource-group MyResourceGroup --name MyImage --source MyVM
aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
This data component can be collected through the following measures:
Enable Cloud Platform Logging
Microsoft.Compute/images
.CreateImage
API calls.compute.googleapis.com/images
.API Monitoring
CreateImage
.Cloud SIEM Integration
Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:
az image create --resource-group MyResourceGroup --name MyImage --source MyVM
aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
This data component can be collected through the following measures:
Enable Cloud Platform Logging
Microsoft.Compute/images
.CreateImage
API calls.compute.googleapis.com/images
.API Monitoring
CreateImage
.Cloud SIEM Integration
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1612 | Build Image on Host |
Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. |
|
Enterprise | T1525 | Implant Internal Image |
Monitor interactions with images and containers by users to identify ones that are added anomalously. |
|
Enterprise | T1204 | User Execution |
Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
.003 | Malicious Image |
Monitor the local image registry to make sure malicious images are not added. |
Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:
az image delete --name MyImage --resource-group MyResourceGroup
aws ec2 deregister-image --image-id ami-1234567890abcdef0
gcloud compute images delete my-custom-image
This data component can be collected through the following measures:
Enable Cloud Platform Logging
Microsoft.Compute/images
.DeregisterImage
or DeleteSnapshot
API calls.compute.googleapis.com/images
.API Monitoring
DeregisterImage
or DeleteSnapshot
.Cloud SIEM Integration
Event Correlation
Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:
az image delete --name MyImage --resource-group MyResourceGroup
aws ec2 deregister-image --image-id ami-1234567890abcdef0
gcloud compute images delete my-custom-image
This data component can be collected through the following measures:
Enable Cloud Platform Logging
Microsoft.Compute/images
.DeregisterImage
or DeleteSnapshot
API calls.compute.googleapis.com/images
.API Monitoring
DeregisterImage
or DeleteSnapshot
.Cloud SIEM Integration
Event Correlation
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a virtual machine image (ex: Azure Compute Service Images |
contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:
This data component can be collected through the following measures:
Cloud Platform-Specific Tools
az image show --name MyCustomImage --resource-group MyResourceGroup
aws ec2 describe-images --image-ids ami-1234567890abcdef0
gcloud compute images describe webserver-image
APIs
GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}
DescribeImages
API.GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.
Cloud Management Portals
SIEM Integration
contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:
This data component can be collected through the following measures:
Cloud Platform-Specific Tools
az image show --name MyCustomImage --resource-group MyResourceGroup
aws ec2 describe-images --image-ids ami-1234567890abcdef0
gcloud compute images describe webserver-image
APIs
GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}
DescribeImages
API.GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.
Cloud Management Portals
SIEM Integration
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[3] Network adapter information may also be helpful in detecting the use of virtual instances. |
Enterprise | T1525 | Implant Internal Image |
Periodically baseline virtual machine images to identify malicious modifications or additions. |
|
Enterprise | T1036 | Masquerading |
Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [4] |
|
.005 | Match Legitimate Resource Name or Location |
In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[5] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. |
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1525 | Implant Internal Image |
Monitor interactions with images and containers by users to identify ones that are modified anomalously.In containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. |