{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-elastic-container-registry/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Elastic Container Registry","AWS CloudTrail","AWS Security Lake","AWS IAM"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","ecr","container"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious activity within an AWS Elastic Container Registry (ECR) environment. Specifically, it focuses on the unauthorized uploading of container images by users not previously known or authorized to perform such actions. This activity is detected by monitoring AWS CloudTrail logs for \u003ccode\u003ePutImage\u003c/code\u003e API calls. The alert triggers when a user who hasn't previously uploaded containers to ECR performs this action, raising concerns about potential account compromise, insider threats, or the deployment of malicious containers. The detection logic uses Amazon Security Lake (ASL) as a centralized source of CloudTrail data. This approach allows for a broader and more consistent view of activity across the AWS environment. The original Splunk ES datamodel version of this detection was published in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI or API to authenticate to the AWS environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker builds or obtains a malicious container image, potentially containing malware or backdoors.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to upload the malicious container image to an AWS ECR repository using the \u003ccode\u003ePutImage\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs this \u003ccode\u003ePutImage\u003c/code\u003e API call, including the user identity (actor.user.uid), source IP (src_endpoint.ip), and operation details.\u003c/li\u003e\n\u003cli\u003eThe detection logic identifies the user as an unknown or unauthorized entity based on a lack of prior ECR upload activity.\u003c/li\u003e\n\u003cli\u003eSecurity personnel investigate the alert, examining the container image for malicious content and the user account for signs of compromise.\u003c/li\u003e\n\u003cli\u003eIf malicious activity is confirmed, remediation steps include revoking compromised credentials, quarantining the container image, and investigating the scope of the breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized container uploads to AWS ECR can have significant consequences. If successful, attackers can deploy malicious containers into production environments, leading to data breaches, system compromise, and service disruption. The scope of impact depends on the permissions granted to the compromised account or role and the nature of the deployed container. Depending on the compromised container's purpose, attackers could steal sensitive data, establish persistence, or launch further attacks within the AWS environment. The lack of known false positives suggests that any triggered alert warrants immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Amazon Security Lake and configure it to collect AWS CloudTrail logs from all relevant AWS accounts and regions to provide comprehensive visibility of ECR activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS ECR Container Upload by Unknown User\u003c/code\u003e to your SIEM and tune the rule based on your organization's known ECR user base.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this detection, focusing on the source IP address (\u003ccode\u003esrc_endpoint.ip\u003c/code\u003e), user agent (\u003ccode\u003ehttp_request.user_agent\u003c/code\u003e), and the contents of the uploaded container image.\u003c/li\u003e\n\u003cli\u003eReview IAM policies related to ECR to ensure that only authorized users and roles have the necessary permissions to upload container images.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/","summary":"The analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events and identifying instances where a new container is uploaded by a user not previously recognized as authorized, potentially indicating a compromise or misuse of AWS ECR.","title":"Unauthorized AWS ECR Container Upload by Unknown User","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS","AWS Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","ecr","anomaly"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis brief focuses on detecting anomalous container image uploads to AWS Elastic Container Registry (ECR) outside of standard business hours. The detection leverages AWS CloudTrail logs, specifically monitoring for \u003ccode\u003ePutImage\u003c/code\u003e API calls. The Splunk analytic \u0026quot;ASL AWS ECR Container Upload Outside Business Hours\u0026quot; identifies these deviations by flagging uploads occurring before 8 AM or after 8 PM, and any uploads that occur on weekends. Successful exploitation can lead to the deployment of compromised containers, potentially enabling unauthorized access, data breaches, or service disruption. This detection is crucial for security operations centers (SOCs) to identify potentially malicious activity within AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or AWS SDK to authenticate and interact with the ECR service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or obtains a malicious container image.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ePutImage\u003c/code\u003e API call to upload the malicious container image to a designated ECR repository. This occurs outside of established business hours to evade detection.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003ePutImage\u003c/code\u003e event, capturing details such as the actor's user ID, source IP address, and the target repository.\u003c/li\u003e\n\u003cli\u003eThe malicious container image is then deployed within the AWS environment, potentially through ECS, EKS, or other container orchestration services.\u003c/li\u003e\n\u003cli\u003eThe deployed container executes malicious code, leading to data exfiltration, lateral movement, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the deployment of malicious code within the victim's AWS environment. This can lead to unauthorized access to sensitive data, service disruption, or complete compromise of the AWS account. The impact can vary based on the permissions associated with the deployed container and the attacker's objectives. Detecting and responding to these anomalous uploads promptly is crucial to mitigating potential damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your specific business hours and AWS environment to detect suspicious container uploads (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the associated CloudTrail logs for further indicators of compromise.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003ePutImage\u003c/code\u003e events and correlate them with other security events to identify potential patterns of malicious activity.\u003c/li\u003e\n\u003cli\u003eReview IAM policies and access controls to ensure that only authorized users and roles have the necessary permissions to upload container images to ECR.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review AWS CloudTrail logs to identify and address any security misconfigurations or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement automated container image scanning to identify vulnerabilities and malware before they are deployed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-upload-anomaly/","summary":"This detection identifies uploads of new containers to AWS Elastic Container Registry (ECR) outside of standard business hours, potentially indicating unauthorized access or malicious deployments.","title":"AWS ECR Container Upload Anomaly Outside Business Hours","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-upload-anomaly/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","ecr","container"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert focuses on detecting potentially malicious uploads to AWS Elastic Container Registry (ECR) that occur outside of typical business hours. While not inherently malicious, such activity can signify unauthorized access or insider threats attempting to deploy compromised container images. This detection is designed to identify anomalous behavior that warrants further investigation, especially in environments with strict container deployment policies. This detection uses the \u003ccode\u003eaws_ecr_container_upload_outside_business_hours.yml\u003c/code\u003e file from the Splunk security content repository.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials through compromised credentials, exposed keys, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a Docker image to include malicious software, backdoors, or other unwanted components.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious Docker image to an AWS ECR repository outside of normal business hours. This is done using the \u003ccode\u003edocker push\u003c/code\u003e command or AWS CLI.\u003c/li\u003e\n\u003cli\u003eA deployment pipeline or manual deployment process pulls the newly uploaded (malicious) container image from ECR.\u003c/li\u003e\n\u003cli\u003eThe compromised container is deployed into a production or development environment.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the container executes, potentially leading to data exfiltration, privilege escalation, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the deployment of compromised containers in the AWS environment. This can result in data breaches, service disruptions, or unauthorized access to sensitive resources. The impact is highly dependent on the nature of the malicious code injected into the container image. Early detection of unusual ECR upload activity outside business hours can help prevent or mitigate the impact of such attacks.\u003c/p\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-upload-bh/","summary":"An AWS Elastic Container Registry (ECR) container image upload occurring outside of normal business hours can indicate suspicious or malicious activity, such as an attacker attempting to deploy compromised containers.","title":"Suspicious AWS ECR Container Upload Outside Business Hours","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-upload-bh/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Elastic Container Registry"],"_cs_severities":["high"],"_cs_tags":["aws","ecr","container","upload"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects the anomalous upload of a new container image to AWS Elastic Container Registry (ECR) by an account not in the known good list. The activity is identified by analyzing AWS CloudTrail logs for \u003ccode\u003ePutImage\u003c/code\u003e events originating from the ECR service. By filtering out uploads performed by known, authorized users, the detection highlights potentially malicious actions indicative of compromised credentials or insider threats. The unauthorized image upload could lead to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment. The original Splunk detection was published on 2026-04-17.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials through methods like credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the AWS environment via the AWS CLI or API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or obtains a malicious container image designed for nefarious purposes.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eaws ecr put-image\u003c/code\u003e command or uses the AWS API to upload the malicious container image to a specified ECR repository. This generates a CloudTrail \u003ccode\u003ePutImage\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eAWS ECR stores the container image.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious image using services like ECS or EKS.\u003c/li\u003e\n\u003cli\u003eThe malicious container executes, potentially leading to data exfiltration, lateral movement, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthorized container image upload can severely compromise an AWS environment. A successful attack can lead to the deployment of malicious code within the infrastructure, potentially affecting critical applications and data. This can result in data breaches, service disruptions, and reputational damage. The absence of specific victim counts makes it challenging to quantify the exact scope, but the nature of the attack suggests potentially broad implications for organizations utilizing AWS ECR.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS ECR Container Upload by Unknown User\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eaws_ecr_users\u003c/code\u003e macro for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eAWS ECR Container Upload by Unknown User\u003c/code\u003e Sigma rule to determine the source and intent of the unknown image upload.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to upload container images to ECR.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit AWS IAM policies to ensure least privilege access for all users and roles.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious API calls and unusual activity, focusing on ECR-related events as specified in the \u0026quot;data_source\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-unknown-upload/","summary":"An unauthorized user uploaded a new container image to AWS Elastic Container Registry (ECR), potentially leading to the deployment of malicious containers and further compromise of the AWS environment.","title":"AWS ECR Container Upload by Unknown User","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-unknown-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Elastic Container Registry","version":"https://jsonfeed.org/version/1.1"}