Image

A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment[1][2]

ID: DS0007
Platform: IaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Image: Image Creation

Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)

Image: Image Creation

Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)

Domain ID Name Detects
Enterprise T1612 Build Image on Host

Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment.

Enterprise T1525 Implant Internal Image

Monitor interactions with images and containers by users to identify ones that are added anomalously.

Enterprise T1204 User Execution

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.003 Malicious Image

Monitor the local image registry to make sure malicious images are not added.

Image: Image Deletion

Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)

Image: Image Deletion

Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)

Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a virtual machine image (ex: Azure Compute Service Images DELETE)

Image: Image Metadata

Contextual data about a virtual machine image such as name, resource group, state, or type

Image: Image Metadata

Contextual data about a virtual machine image such as name, resource group, state, or type

Domain ID Name Detects
Enterprise T1564 .006 Hide Artifacts: Run Virtual Instance

Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[3] Network adapter information may also be helpful in detecting the use of virtual instances.

Enterprise T1525 Implant Internal Image

Periodically baseline virtual machine images to identify malicious modifications or additions.

Enterprise T1036 Masquerading

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [4]

.005 Match Legitimate Name or Location

In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[5] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

Image: Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Image: Image Modification

Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)

Domain ID Name Detects
Enterprise T1525 Implant Internal Image

Monitor interactions with images and containers by users to identify ones that are modified anomalously.In containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration.

References