Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1612 | 在主机上构建镜像 |
Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. |
|
| Enterprise | T1525 | 植入内部镜像 |
Monitor interactions with images and containers by users to identify ones that are added anomalously. |
|
| Enterprise | T1204 | 用户执行 |
Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
| .003 | Malicious Image |
Monitor the local image registry to make sure malicious images are not added. |
||
Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)
Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)
Contextual data about a virtual machine image such as name, resource group, state, or type
Contextual data about a virtual machine image such as name, resource group, state, or type
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [3] |
|
| .005 | Match Legitimate Name or Location |
In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[4] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. |
||
| Enterprise | T1525 | 植入内部镜像 |
Periodically baseline virtual machine images to identify malicious modifications or additions. |
|
| Enterprise | T1564 | .006 | 隐藏伪装: Run Virtual Instance |
Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[5] Network adapter information may also be helpful in detecting the use of virtual instances. |
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1525 | 植入内部镜像 |
Monitor interactions with images and containers by users to identify ones that are modified anomalously.In containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. |
|