- Tactics
- Persistence
- Platforms
- IaaS, Containers
- Reference
- attack.mitre.org/techniques/T1525
Description
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions
- T1197 — BITS Jobs
- T1205 — Traffic Signaling
- T1505 — Server Software Component