GetAuthorizationToken

CSP: AWS

Tactics:

Credential Access

Techniques:

T1552

Tags:

AWS ECR

Event

Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.

Security Context

• ECR authorization tokens provide temporary Docker registry credentials that can be used to pull or push container images, potentially exposing proprietary code and configuration secrets embedded in images.
• This event is frequently observed in container escape scenarios where compromised workloads retrieve ECR tokens via the instance metadata service to access container registries.

Log Source

CloudTrail

Sample Event

MITRE ATT&CK Mapping

Tactics: Credential Access

Techniques:

• T1552 — Unsecured Credentials — Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.