T1204.003: Malicious Image
| View on MITRE ATT&CK | T1204.003 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: Match Legitimate Name or Location).(Citation: Aqua Security Cloud Native Threat Report June 2021)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.How to detect this technique
MITRE ATT&CK Data Components
Instance Start (Instance)
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Container Creation (Container)
Initial construction of a new container (ex: docker create <container_name>)Container Start (Container)
Activation or invocation of a container (ex: docker start or docker restart)Image Creation (Image)
Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)Instance Creation (Instance)
Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.