{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-security-lake/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Elastic Container Registry","AWS CloudTrail","AWS Security Lake","AWS IAM"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","ecr","container"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious activity within an AWS Elastic Container Registry (ECR) environment. Specifically, it focuses on the unauthorized uploading of container images by users not previously known or authorized to perform such actions. This activity is detected by monitoring AWS CloudTrail logs for \u003ccode\u003ePutImage\u003c/code\u003e API calls. The alert triggers when a user who hasn't previously uploaded containers to ECR performs this action, raising concerns about potential account compromise, insider threats, or the deployment of malicious containers. The detection logic uses Amazon Security Lake (ASL) as a centralized source of CloudTrail data. This approach allows for a broader and more consistent view of activity across the AWS environment. The original Splunk ES datamodel version of this detection was published in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI or API to authenticate to the AWS environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker builds or obtains a malicious container image, potentially containing malware or backdoors.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to upload the malicious container image to an AWS ECR repository using the \u003ccode\u003ePutImage\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs this \u003ccode\u003ePutImage\u003c/code\u003e API call, including the user identity (actor.user.uid), source IP (src_endpoint.ip), and operation details.\u003c/li\u003e\n\u003cli\u003eThe detection logic identifies the user as an unknown or unauthorized entity based on a lack of prior ECR upload activity.\u003c/li\u003e\n\u003cli\u003eSecurity personnel investigate the alert, examining the container image for malicious content and the user account for signs of compromise.\u003c/li\u003e\n\u003cli\u003eIf malicious activity is confirmed, remediation steps include revoking compromised credentials, quarantining the container image, and investigating the scope of the breach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized container uploads to AWS ECR can have significant consequences. If successful, attackers can deploy malicious containers into production environments, leading to data breaches, system compromise, and service disruption. The scope of impact depends on the permissions granted to the compromised account or role and the nature of the deployed container. Depending on the compromised container's purpose, attackers could steal sensitive data, establish persistence, or launch further attacks within the AWS environment. The lack of known false positives suggests that any triggered alert warrants immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Amazon Security Lake and configure it to collect AWS CloudTrail logs from all relevant AWS accounts and regions to provide comprehensive visibility of ECR activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS ECR Container Upload by Unknown User\u003c/code\u003e to your SIEM and tune the rule based on your organization's known ECR user base.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this detection, focusing on the source IP address (\u003ccode\u003esrc_endpoint.ip\u003c/code\u003e), user agent (\u003ccode\u003ehttp_request.user_agent\u003c/code\u003e), and the contents of the uploaded container image.\u003c/li\u003e\n\u003cli\u003eReview IAM policies related to ECR to ensure that only authorized users and roles have the necessary permissions to upload container images.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/","summary":"The analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events and identifying instances where a new container is uploaded by a user not previously recognized as authorized, potentially indicating a compromise or misuse of AWS ECR.","title":"Unauthorized AWS ECR Container Upload by Unknown User","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Security Lake","version":"https://jsonfeed.org/version/1.1"}