Implantation of malicious code into container images followed by registry push and use in new deployments.
| Data Component | Name | Channel |
|---|---|---|
| Image Creation (DC0015) | docker:daemon | docker build or docker commit commands followed by docker push to internal registry |
| Image Modification (DC0036) | docker:registry | push event of new image version from unrecognized user or context |
| Field | Description |
|---|---|
| TimeWindow | Time threshold between image creation and use in deployment – typically rapid in adversarial activity. |
| UserContext | The expected users or service accounts performing image pushes. |
| RegistryNameRegex | Expected naming patterns for trusted registries. |
Creation or modification of cloud virtual machine images (AMIs, custom images) with persistence mechanisms, followed by infrastructure provisioning that uses these implanted images.
| Data Component | Name | Channel |
|---|---|---|
| Image Creation (DC0015) | AWS:CloudTrail | RegisterImage |
| Image Modification (DC0036) | AWS:CloudTrail | ModifyImageAttribute |
| Instance Start (DC0080) | AWS:CloudTrail | RunInstances |
| Field | Description |
|---|---|
| IAMRole | Roles that are allowed to register and modify images should be scoped narrowly. |
| ImageTagRegex | Expected tags or naming patterns for images (e.g., 'golden-image', 'base-image'). |
| LaunchWindow | Time interval between image creation and instance launch. |