Skip to content
Threat Feed
medium advisory

AWS ECR Container Upload Anomaly Outside Business Hours

This detection identifies uploads of new containers to AWS Elastic Container Registry (ECR) outside of standard business hours, potentially indicating unauthorized access or malicious deployments.

This brief focuses on detecting anomalous container image uploads to AWS Elastic Container Registry (ECR) outside of standard business hours. The detection leverages AWS CloudTrail logs, specifically monitoring for PutImage API calls. The Splunk analytic "ASL AWS ECR Container Upload Outside Business Hours" identifies these deviations by flagging uploads occurring before 8 AM or after 8 PM, and any uploads that occur on weekends. Successful exploitation can lead to the deployment of compromised containers, potentially enabling unauthorized access, data breaches, or service disruption. This detection is crucial for security operations centers (SOCs) to identify potentially malicious activity within AWS environments.

Attack Chain

  1. An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.
  2. The attacker uses the AWS CLI or AWS SDK to authenticate and interact with the ECR service.
  3. The attacker crafts or obtains a malicious container image.
  4. The attacker uses the PutImage API call to upload the malicious container image to a designated ECR repository. This occurs outside of established business hours to evade detection.
  5. AWS CloudTrail logs the PutImage event, capturing details such as the actor's user ID, source IP address, and the target repository.
  6. The malicious container image is then deployed within the AWS environment, potentially through ECS, EKS, or other container orchestration services.
  7. The deployed container executes malicious code, leading to data exfiltration, lateral movement, or denial-of-service attacks.

Impact

A successful attack can result in the deployment of malicious code within the victim's AWS environment. This can lead to unauthorized access to sensitive data, service disruption, or complete compromise of the AWS account. The impact can vary based on the permissions associated with the deployed container and the attacker's objectives. Detecting and responding to these anomalous uploads promptly is crucial to mitigating potential damages.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune it for your specific business hours and AWS environment to detect suspicious container uploads (Sigma rule below).
  • Investigate any alerts generated by the Sigma rule by reviewing the associated CloudTrail logs for further indicators of compromise.
  • Monitor AWS CloudTrail logs for PutImage events and correlate them with other security events to identify potential patterns of malicious activity.
  • Review IAM policies and access controls to ensure that only authorized users and roles have the necessary permissions to upload container images to ECR.
  • Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.
  • Regularly audit and review AWS CloudTrail logs to identify and address any security misconfigurations or suspicious activity.
  • Implement automated container image scanning to identify vulnerabilities and malware before they are deployed.

Detection coverage 2

AWS ECR Container Upload Outside Business Hours

medium

Detects the upload of new containers to AWS ECR outside of standard business hours.

sigma tactics: execution techniques: T1204.003 sources: cloudtrail, aws

AWS ECR Container Upload via Uncommon User Agent

low

Detects container uploads to AWS ECR using uncommon User-Agent strings, potentially indicating malicious activity.

sigma tactics: execution techniques: T1204.003 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →