Navigation :

Suspicious Container Image Name

Description

This search looks for image creation events in Kubernetes Audit logs and compares the image names against a known list of names that is likely to be suspicious. This technique is particularly useful for cryptomining attacks.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring

Category

Endpoint Compromise

Security Impact

Kubernetes and containers are becoming more and more common and we are seeing more attacks and exploits targetting this platform. Reference scenarios include these Azure Security Center detected a new crypto mining campaign that targets Kubernetes environments and Azure Security Center exposes crypto miner campaign

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Impact

MITRE ATT&CK Techniques

Resource Hijacking

MITRE Threat Groups

APT41
Blue Mockingbird
Lazarus Group
Rocke

Kill Chain Phases

Exploitation

Data Sources

GCP
Audit Trail
AWS
Azure

   How to Implement

Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data.

   Known False Positives

This search should trigger very few false positives, because it's filtered to just very specific events. The keyword list uses wildcards so some of the matches might include benign words that contain bad words like "coin" or "mining". You can modify the lookup to get around this in your environment.

   How To Respond

This alert is very clearly tied to a known threat, so when it fires your concern is that this represents an attacker inside of one of your systems. Recommended steps are to begin incident response on the host where this alert fired from, to look for signs of other suspicious activities. The first step in that process will be to look for other events that involve the same IP or user name, and see what other activities the attacker might have done. That should guide you to the underlying problem.

   Help

Suspicious Container Image Name Help

The basic idea behind this search is to take a set of container images names and cross reference them against a set of known bad keywords.

There are three phases to this search.

  • First we run a search to find image creation events.
  • Then we match the image names with the list of keywords from a CSV file (also called a lookup).
  • Lastly, we filter the events on ones where we have a match against the lookup and we rename some of the files to make it easier to read.

SPL for Suspicious Container Image Name

AWS Data

index=* sourcetype=aws:cloudwatchlogs* image create verb IN("create") (requestObject.spec.containers{}.image=*) | rename requestObject.spec.containers{}.image AS Image | eval Image=lower(Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull('Image Category') | fields * | foreach *     [| eval "<<FIELD>>"=mvdedup('<<FIELD>>') ] | rename user.username AS user "sourceIPs{}" AS "src_ip" objectRef.name AS "Involved Object" objectRef.namespace AS Namespace objectRef.resource AS "Resource Type" kind AS Kind requestURI AS "url" userAgent AS "user_agent" verb AS Verb responseStatus.code AS "Status Code" "annotations.authorization.k8s.io/decision" AS "Authorization Decision" | stats count AS "Event Count" values(*) AS * by _time | table _time "src_ip" user Verb Image "Image Category" "Event Count" "Involved Object" Namespace "Resource Type" Kind "url" "user_agent" "Status Code" "Authorization Decision"
First we find container creation events

GCP Data

index=* sourcetype=google:gcp:pubsub:message image create "event_name"="*.create" ("data.protoPayload.request.spec.containers{}.image"="*") | rename data.protoPayload.request.spec.containers{}.image AS Image| eval src_user=coalesce('data.protoPayload.authenticationInfo.principalEmail', 'data.jsonPayload.actor.user')| eval Image=lower(Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull('Image Category') | fields _time src_ip src_user event_name Image "Image Category"  data.protoPayload.request.metadata.labels.name data.protoPayload.request.metadata.name data.protoPayload.request.metadata.namespace data.protoPayload.resourceName data.protoPayload.request.kind dest http_user_agent status k8s_authorization_decision data.protoPayload.status.message | foreach *     [| eval "<<FIELD>>"=mvdedup('<<FIELD>>') ] | rename data.protoPayload.request.metadata.labels.name AS "Involved Object Label" data.protoPayload.request.metadata.name AS "Involved Object Name" data.protoPayload.request.metadata.namespace AS Namespace data.protoPayload.resourceName AS "Resource Type" data.protoPayload.request.kind AS Kind status AS "Status Code" http_user_agent AS "user_agent" "k8s_authorization_decision" AS "Authorization Decision" | stats count AS "Event Count" values(*) AS * by _time | table _time src_ip src_user event_name Image "Image Category" "Event Count" "Involved Object Label" "Involved Object Name" Namespace "Resource Type" Kind dest "user_agent" "Status Code" "Authorization Decision" data.protoPayload.status.message
First we find container creation events

Azure Data

index=* (sourcetype=mscs:storage:blob OR sourcetype=mscs:storage:blob:json) image create | spath input=properties.log | search verb="create" ("requestObject.spec.containers{}.image"="*") | rename requestObject.spec.containers{}.image AS Image | eval Image=lower(Image) | lookup suspicious_container_image_names image AS Image OUTPUT category AS "Image Category" | where isnotnull('Image Category') | fields _time sourceIPs{} user.username verb Image "Image Category"  objectRef.name objectRef.namespace objectRef.resource kind requestURI userAgent responseStatus.code annotations.authorization.k8s.io/decision | foreach *     [| eval "<<FIELD>>"=mvdedup('<<FIELD>>') ] | rename user.username AS user "sourceIPs{}" AS "src_ip" objectRef.name AS "Involved Object" objectRef.namespace AS Namespace objectRef.resource AS "Resource Type" kind AS Kind requestURI AS "url" userAgent AS "user_agent" verb AS Verb responseStatus.code AS "Status Code" "annotations.authorization.k8s.io/decision" AS "Authorization Decision" | stats count AS "Event Count" values(*) AS * by _time | table _time "src_ip" user Verb Image "Image Category" "Event Count" "Involved Object" Namespace "Resource Type" Kind "url" "user_agent" "Status Code" "Authorization Decision"
First we find container creation events