Image From New Repository Detected

Description

Detect the presence of an Image created from a Repository not seen in your Kubernetes environment before.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Compliance

Category

Cloud Security, Abuse, Unauthorized Software, Account Compromise

Security Impact

If an attacker manages to get access to your cluster he is likely to spin up new containers that contain either hacker tools or utilities or that contain cryptocurrency mining software. New repositories should only rarely appear in your production environment so the alert volume and false positive rate should be low. This detection leverages a baseline stored in a lookup to maintain the performance over longer time periods. By default the baseline is stored for 30 days.

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Impact

MITRE ATT&CK Techniques

Resource Hijacking

MITRE Threat Groups

APT41
Blue Mockingbird
Lazarus Group
Rocke

Kill Chain Phases

Installation
Actions On Objectives

Data Sources

Audit Trail
Kubernetes

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For this search, it is recommended it is run every hour but this can be changed to a less frequent schedule. .

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This search is designed to find older versions of Mimikatz (or other tools with similar techniques), and is not known to have any other false positives.

   How To Respond

When this search returns values, initiate your incident response process and identify the owner of the Container and check if the usage of a completely new Repository of warranted. New Repositories should only rarely appear in a production environment.

   Help

Image From New Repository Detected Help

This example leverages the Simple search assistant. Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search. .

SPL for Image From New Repository Detected

Live Data

Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search.