Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1612 | Build Image on Host |
Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. |
|
Enterprise | T1525 | Implant Internal Image |
Monitor interactions with images and containers by users to identify ones that are added anomalously. |
|
Enterprise | T1204 | User Execution |
Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
.003 | Malicious Image |
Monitor the local image registry to make sure malicious images are not added. |
Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)
Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a virtual machine image (ex: Azure Compute Service Images DELETE) |
Contextual data about a virtual machine image such as name, resource group, state, or type
Contextual data about a virtual machine image such as name, resource group, state, or type
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[3] Network adapter information may also be helpful in detecting the use of virtual instances. |
Enterprise | T1525 | Implant Internal Image |
Periodically baseline virtual machine images to identify malicious modifications or additions. |
|
Enterprise | T1036 | Masquerading |
Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [4] |
|
.005 | Match Legitimate Name or Location |
In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[5] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. |
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1525 | Implant Internal Image |
Monitor interactions with images and containers by users to identify ones that are modified anomalously.In containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. |