Suspicious AWS ECR Container Upload Outside Business Hours
An AWS Elastic Container Registry (ECR) container image upload occurring outside of normal business hours can indicate suspicious or malicious activity, such as an attacker attempting to deploy compromised containers.
This alert focuses on detecting potentially malicious uploads to AWS Elastic Container Registry (ECR) that occur outside of typical business hours. While not inherently malicious, such activity can signify unauthorized access or insider threats attempting to deploy compromised container images. This detection is designed to identify anomalous behavior that warrants further investigation, especially in environments with strict container deployment policies. This detection uses the aws_ecr_container_upload_outside_business_hours.yml file from the Splunk security content repository.
Attack Chain
- An attacker gains unauthorized access to AWS credentials through compromised credentials, exposed keys, or other means.
- The attacker uses these credentials to authenticate to the AWS environment.
- The attacker creates or modifies a Docker image to include malicious software, backdoors, or other unwanted components.
- The attacker uploads the malicious Docker image to an AWS ECR repository outside of normal business hours. This is done using the
docker pushcommand or AWS CLI. - A deployment pipeline or manual deployment process pulls the newly uploaded (malicious) container image from ECR.
- The compromised container is deployed into a production or development environment.
- The malicious code within the container executes, potentially leading to data exfiltration, privilege escalation, or denial of service.
Impact
A successful attack could lead to the deployment of compromised containers in the AWS environment. This can result in data breaches, service disruptions, or unauthorized access to sensitive resources. The impact is highly dependent on the nature of the malicious code injected into the container image. Early detection of unusual ECR upload activity outside business hours can help prevent or mitigate the impact of such attacks.
Detection coverage 2
AWS ECR Container Upload Outside Business Hours
mediumDetects AWS ECR container image uploads occurring outside of normal business hours (e.g., 6 PM to 8 AM local time).
AWS ECR Container Upload by Uncommon User Agent
lowDetects AWS ECR container image uploads performed by a user agent that is not commonly associated with container deployments.
Detection queries are available on the platform. Get full rules →