<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Elastic Container Registry - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-elastic-container-registry/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-elastic-container-registry/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthorized AWS ECR Container Upload by Unknown User</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/</guid><description>The analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events and identifying instances where a new container is uploaded by a user not previously recognized as authorized, potentially indicating a compromise or misuse of AWS ECR.</description><content:encoded><![CDATA[<p>This detection identifies potentially malicious activity within an AWS Elastic Container Registry (ECR) environment. Specifically, it focuses on the unauthorized uploading of container images by users not previously known or authorized to perform such actions. This activity is detected by monitoring AWS CloudTrail logs for <code>PutImage</code> API calls. The alert triggers when a user who hasn't previously uploaded containers to ECR performs this action, raising concerns about potential account compromise, insider threats, or the deployment of malicious containers. The detection logic uses Amazon Security Lake (ASL) as a centralized source of CloudTrail data. This approach allows for a broader and more consistent view of activity across the AWS environment. The original Splunk ES datamodel version of this detection was published in 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges.</li>
<li>The attacker leverages the AWS CLI or API to authenticate to the AWS environment using the compromised credentials.</li>
<li>The attacker builds or obtains a malicious container image, potentially containing malware or backdoors.</li>
<li>The attacker attempts to upload the malicious container image to an AWS ECR repository using the <code>PutImage</code> API call.</li>
<li>CloudTrail logs this <code>PutImage</code> API call, including the user identity (actor.user.uid), source IP (src_endpoint.ip), and operation details.</li>
<li>The detection logic identifies the user as an unknown or unauthorized entity based on a lack of prior ECR upload activity.</li>
<li>Security personnel investigate the alert, examining the container image for malicious content and the user account for signs of compromise.</li>
<li>If malicious activity is confirmed, remediation steps include revoking compromised credentials, quarantining the container image, and investigating the scope of the breach.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Unauthorized container uploads to AWS ECR can have significant consequences. If successful, attackers can deploy malicious containers into production environments, leading to data breaches, system compromise, and service disruption. The scope of impact depends on the permissions granted to the compromised account or role and the nature of the deployed container. Depending on the compromised container's purpose, attackers could steal sensitive data, establish persistence, or launch further attacks within the AWS environment. The lack of known false positives suggests that any triggered alert warrants immediate investigation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Amazon Security Lake and configure it to collect AWS CloudTrail logs from all relevant AWS accounts and regions to provide comprehensive visibility of ECR activity.</li>
<li>Deploy the Sigma rule <code>AWS ECR Container Upload by Unknown User</code> to your SIEM and tune the rule based on your organization's known ECR user base.</li>
<li>Investigate any alerts generated by this detection, focusing on the source IP address (<code>src_endpoint.ip</code>), user agent (<code>http_request.user_agent</code>), and the contents of the uploaded container image.</li>
<li>Review IAM policies related to ECR to ensure that only authorized users and roles have the necessary permissions to upload container images.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>container</category></item><item><title>AWS ECR Container Upload Anomaly Outside Business Hours</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-upload-anomaly/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-upload-anomaly/</guid><description>This detection identifies uploads of new containers to AWS Elastic Container Registry (ECR) outside of standard business hours, potentially indicating unauthorized access or malicious deployments.</description><content:encoded><![CDATA[<p>This brief focuses on detecting anomalous container image uploads to AWS Elastic Container Registry (ECR) outside of standard business hours. The detection leverages AWS CloudTrail logs, specifically monitoring for <code>PutImage</code> API calls. The Splunk analytic &quot;ASL AWS ECR Container Upload Outside Business Hours&quot; identifies these deviations by flagging uploads occurring before 8 AM or after 8 PM, and any uploads that occur on weekends. Successful exploitation can lead to the deployment of compromised containers, potentially enabling unauthorized access, data breaches, or service disruption. This detection is crucial for security operations centers (SOCs) to identify potentially malicious activity within AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.</li>
<li>The attacker uses the AWS CLI or AWS SDK to authenticate and interact with the ECR service.</li>
<li>The attacker crafts or obtains a malicious container image.</li>
<li>The attacker uses the <code>PutImage</code> API call to upload the malicious container image to a designated ECR repository. This occurs outside of established business hours to evade detection.</li>
<li>AWS CloudTrail logs the <code>PutImage</code> event, capturing details such as the actor's user ID, source IP address, and the target repository.</li>
<li>The malicious container image is then deployed within the AWS environment, potentially through ECS, EKS, or other container orchestration services.</li>
<li>The deployed container executes malicious code, leading to data exfiltration, lateral movement, or denial-of-service attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the deployment of malicious code within the victim's AWS environment. This can lead to unauthorized access to sensitive data, service disruption, or complete compromise of the AWS account. The impact can vary based on the permissions associated with the deployed container and the attacker's objectives. Detecting and responding to these anomalous uploads promptly is crucial to mitigating potential damages.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune it for your specific business hours and AWS environment to detect suspicious container uploads (Sigma rule below).</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the associated CloudTrail logs for further indicators of compromise.</li>
<li>Monitor AWS CloudTrail logs for <code>PutImage</code> events and correlate them with other security events to identify potential patterns of malicious activity.</li>
<li>Review IAM policies and access controls to ensure that only authorized users and roles have the necessary permissions to upload container images to ECR.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.</li>
<li>Regularly audit and review AWS CloudTrail logs to identify and address any security misconfigurations or suspicious activity.</li>
<li>Implement automated container image scanning to identify vulnerabilities and malware before they are deployed.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>anomaly</category></item><item><title>Suspicious AWS ECR Container Upload Outside Business Hours</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-upload-bh/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-upload-bh/</guid><description>An AWS Elastic Container Registry (ECR) container image upload occurring outside of normal business hours can indicate suspicious or malicious activity, such as an attacker attempting to deploy compromised containers.</description><content:encoded><![CDATA[<p>This alert focuses on detecting potentially malicious uploads to AWS Elastic Container Registry (ECR) that occur outside of typical business hours. While not inherently malicious, such activity can signify unauthorized access or insider threats attempting to deploy compromised container images. This detection is designed to identify anomalous behavior that warrants further investigation, especially in environments with strict container deployment policies. This detection uses the <code>aws_ecr_container_upload_outside_business_hours.yml</code> file from the Splunk security content repository.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to AWS credentials through compromised credentials, exposed keys, or other means.</li>
<li>The attacker uses these credentials to authenticate to the AWS environment.</li>
<li>The attacker creates or modifies a Docker image to include malicious software, backdoors, or other unwanted components.</li>
<li>The attacker uploads the malicious Docker image to an AWS ECR repository outside of normal business hours. This is done using the <code>docker push</code> command or AWS CLI.</li>
<li>A deployment pipeline or manual deployment process pulls the newly uploaded (malicious) container image from ECR.</li>
<li>The compromised container is deployed into a production or development environment.</li>
<li>The malicious code within the container executes, potentially leading to data exfiltration, privilege escalation, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to the deployment of compromised containers in the AWS environment. This can result in data breaches, service disruptions, or unauthorized access to sensitive resources. The impact is highly dependent on the nature of the malicious code injected into the container image. Early detection of unusual ECR upload activity outside business hours can help prevent or mitigate the impact of such attacks.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>container</category></item><item><title>AWS ECR Container Upload by Unknown User</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-unknown-upload/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-unknown-upload/</guid><description>An unauthorized user uploaded a new container image to AWS Elastic Container Registry (ECR), potentially leading to the deployment of malicious containers and further compromise of the AWS environment.</description><content:encoded><![CDATA[<p>This alert detects the anomalous upload of a new container image to AWS Elastic Container Registry (ECR) by an account not in the known good list. The activity is identified by analyzing AWS CloudTrail logs for <code>PutImage</code> events originating from the ECR service. By filtering out uploads performed by known, authorized users, the detection highlights potentially malicious actions indicative of compromised credentials or insider threats. The unauthorized image upload could lead to the deployment of malicious containers, data exfiltration, or further compromise of the AWS environment. The original Splunk detection was published on 2026-04-17.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to AWS credentials through methods like credential stuffing or phishing.</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS environment via the AWS CLI or API.</li>
<li>The attacker crafts or obtains a malicious container image designed for nefarious purposes.</li>
<li>The attacker executes the <code>aws ecr put-image</code> command or uses the AWS API to upload the malicious container image to a specified ECR repository. This generates a CloudTrail <code>PutImage</code> event.</li>
<li>AWS ECR stores the container image.</li>
<li>The attacker deploys the malicious image using services like ECS or EKS.</li>
<li>The malicious container executes, potentially leading to data exfiltration, lateral movement, or denial-of-service attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>An unauthorized container image upload can severely compromise an AWS environment. A successful attack can lead to the deployment of malicious code within the infrastructure, potentially affecting critical applications and data. This can result in data breaches, service disruptions, and reputational damage. The absence of specific victim counts makes it challenging to quantify the exact scope, but the nature of the attack suggests potentially broad implications for organizations utilizing AWS ECR.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS ECR Container Upload by Unknown User</code> to your SIEM and tune the <code>aws_ecr_users</code> macro for your environment.</li>
<li>Investigate any alerts generated by the <code>AWS ECR Container Upload by Unknown User</code> Sigma rule to determine the source and intent of the unknown image upload.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to upload container images to ECR.</li>
<li>Regularly review and audit AWS IAM policies to ensure least privilege access for all users and roles.</li>
<li>Monitor AWS CloudTrail logs for suspicious API calls and unusual activity, focusing on ECR-related events as specified in the &quot;data_source&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>ecr</category><category>container</category><category>upload</category></item></channel></rss>