New Public Repository Container Image detected in AWS ECR

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1525-implant-internal-image

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.

NOTE: Amazon ECR requires that users have permission to make calls to the ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.

Strategy

Detect when @evt.name:PutImage is used against the ecr-public.amazonaws.com API.

Triage & Response

  1. Check that {{@responseElements.image.imageId.imageDigest}} is a valid sha256 hash for the container image with a tag of {{@responseElements.image.imageId.imageTag}} in the {{@responseElements.image.repositoryName}} repository on AWS Account {{@userIdentity.accountId}}.
  2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.
PREVIEWING: brett.blue/embedded-collector-release