AWS ECR Container Upload Outside Business Hours
This analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours, indicating potential unauthorized activity and leveraging AWS CloudTrail logs to identify `PutImage` events during non-business hours.
This detection focuses on identifying anomalous container image uploads to AWS Elastic Container Registry (ECR). Specifically, it flags PutImage events logged in AWS CloudTrail that occur outside of typical business hours (between 8 PM and 8 AM, or on weekends). The detection aims to uncover potentially malicious activity such as unauthorized uploads from compromised accounts or insider threats. The version of the Splunk detection being used is 11, published on 2026-04-15. Successful exploitation could result in the deployment of unauthorized or malicious containers, potentially leading to data breaches, service disruptions, or supply chain compromise. Defenders should investigate any detected activity promptly to validate its legitimacy and prevent further malicious actions. The scope includes all AWS accounts utilizing ECR.
Attack Chain
- An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.
- The attacker leverages the AWS CLI or SDK to interact with the ECR service.
- The attacker authenticates to ECR using the compromised credentials or assumed role.
- The attacker builds or obtains a malicious container image.
- The attacker uses the
aws ecr get-login-passwordcommand to retrieve an authentication token for Docker. - The attacker authenticates Docker to the ECR registry using the retrieved token.
- The attacker executes a
docker pushcommand to upload the malicious container image to a target ECR repository using thePutImageAPI call. This occurs outside of normal business hours. - The malicious container image is subsequently deployed within the AWS environment, leading to code execution and further compromise.
Impact
A successful attack could allow an attacker to deploy unauthorized or malicious containers within the AWS environment. This can lead to data breaches, service disruptions, or the injection of malicious code into production systems. The number of affected organizations and the extent of the damage are dependent on the attacker's objectives and the security posture of the targeted AWS environment. The sectors most at risk are those heavily reliant on containerized applications, such as software development, financial services, and e-commerce.
Recommendation
- Deploy the Sigma rule
Detect AWS ECR Container Upload Outside Business Hoursto your SIEM and tune for your environment. - Investigate any
PutImageevents flagged by the detection during non-business hours, focusing on the user identified by theuserfield in the logs. - Review IAM policies associated with the user identified in the logs, ensuring they adhere to the principle of least privilege.
- Monitor AWS CloudTrail logs for suspicious activity related to container image uploads, using the
data_sourcefield as a reference. - Implement multi-factor authentication (MFA) for all AWS accounts and IAM users to mitigate the risk of credential compromise.
- Review and update container image security policies to prevent the deployment of unauthorized or vulnerable images.
Detection coverage 2
Detect AWS ECR Container Upload Outside Business Hours
mediumDetects container uploads to AWS Elastic Container Registry (ECR) outside of standard business hours (8 PM to 8 AM or weekends) using AWS CloudTrail logs.
Detect AWS ECR PutImage Event
infoDetects any PutImage event in AWS Elastic Container Registry (ECR), regardless of the time. This provides a baseline for monitoring container image uploads.
Detection queries are available on the platform. Get full rules →