AWS ECR Container Upload by Unknown User
An unauthorized user uploaded a new container image to AWS Elastic Container Registry (ECR), potentially leading to the deployment of malicious containers and further compromise of the AWS environment.
This alert detects the anomalous upload of a new container image to AWS Elastic Container Registry (ECR) by an account not in the known good list. The activity is identified by analyzing AWS CloudTrail logs for PutImage events originating from the ECR service. By filtering out uploads performed by known, authorized users, the detection highlights potentially malicious actions indicative of compromised credentials or insider threats. The unauthorized image upload could lead to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment. The original Splunk detection was published on 2026-04-17.
Attack Chain
- An attacker gains unauthorized access to AWS credentials through methods like credential stuffing or phishing.
- The attacker uses the compromised credentials to authenticate to the AWS environment via the AWS CLI or API.
- The attacker crafts or obtains a malicious container image designed for nefarious purposes.
- The attacker executes the
aws ecr put-imagecommand or uses the AWS API to upload the malicious container image to a specified ECR repository. This generates a CloudTrailPutImageevent. - AWS ECR stores the container image.
- The attacker deploys the malicious image using services like ECS or EKS.
- The malicious container executes, potentially leading to data exfiltration, lateral movement, or denial-of-service attacks.
Impact
An unauthorized container image upload can severely compromise an AWS environment. A successful attack can lead to the deployment of malicious code within the infrastructure, potentially affecting critical applications and data. This can result in data breaches, service disruptions, and reputational damage. The absence of specific victim counts makes it challenging to quantify the exact scope, but the nature of the attack suggests potentially broad implications for organizations utilizing AWS ECR.
Recommendation
- Deploy the Sigma rule
AWS ECR Container Upload by Unknown Userto your SIEM and tune theaws_ecr_usersmacro for your environment. - Investigate any alerts generated by the
AWS ECR Container Upload by Unknown UserSigma rule to determine the source and intent of the unknown image upload. - Implement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to upload container images to ECR.
- Regularly review and audit AWS IAM policies to ensure least privilege access for all users and roles.
- Monitor AWS CloudTrail logs for suspicious API calls and unusual activity, focusing on ECR-related events as specified in the "data_source" section.
Detection coverage 2
AWS ECR Container Upload by Unknown User
highDetects the upload of a new container image to AWS Elastic Container Registry (ECR) by an unknown user.
AWS ECR PutImage Event with Uncommon User Agent
mediumDetects AWS ECR PutImage events with uncommon user agents, potentially indicating malicious tooling.
Detection queries are available on the platform. Get full rules →