PutImage

CSP: AWS

Tactics:

Persistence

Techniques:

T1525

Tags:

AWS ECR

Event

Pushes a container image to ECR, potentially introducing backdoored images into the deployment pipeline.

Security Context

• Pushing a malicious container image to ECR can compromise all downstream workloads that pull from the repository, providing persistent code execution across the deployment pipeline.
• Adversaries implant backdoored images that appear legitimate but contain reverse shells, credential harvesters, or cryptominers that activate at runtime.

Log Source

CloudTrail

Sample Event

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:

• T1525 — Implant Internal Image — Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker ...