T1525: Implant Internal Image

T1525: Implant Internal Image

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker ...

View on MITRE ATT&CK →

AWS PutImage

Pushes a container image to ECR, potentially introducing backdoored images into the deployment pipeline.

Cloud Service: AWS - ECR

Tactics:

Persistence

Techniques:

T1525

Tags:

AWS ECR

AWS UpdateFunctionConfiguration20150331v2

Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.

Cloud Service: AWS - Lambda

Tactics:

Persistence Execution

Techniques:

T1525T1059

Tags:

AWS Lambda