Suspicious Container Image Name

Description

This search looks for image creation events in Kubernetes Audit logs and compares the image names against a known list of names that is likely to be suspicious. This technique is particularly useful for cryptomining attacks.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring

Category

Endpoint Compromise

Security Impact

Kubernetes and containers are becoming more and more common and we are seeing more attacks and exploits targetting this platform. Reference scenarios include these Azure Security Center detected a new crypto mining campaign that targets Kubernetes environments and Azure Security Center exposes crypto miner campaign

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Impact

MITRE ATT&CK Techniques

Resource Hijacking

MITRE Threat Groups

APT41
Blue Mockingbird
Lazarus Group
Rocke

Kill Chain Phases

Exploitation

Data Sources

GCP
Audit Trail
AWS
Azure

   How to Implement

Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data.

   Known False Positives

This search should trigger very few false positives, because it's filtered to just very specific events. The keyword list uses wildcards so some of the matches might include benign words that contain bad words like "coin" or "mining". You can modify the lookup to get around this in your environment.

   How To Respond

This alert is very clearly tied to a known threat, so when it fires your concern is that this represents an attacker inside of one of your systems. Recommended steps are to begin incident response on the host where this alert fired from, to look for signs of other suspicious activities. The first step in that process will be to look for other events that involve the same IP or user name, and see what other activities the attacker might have done. That should guide you to the underlying problem.

   Help

Suspicious Container Image Name Help

The basic idea behind this search is to take a set of container images names and cross reference them against a set of known bad keywords.

There are three phases to this search.

  • First we run a search to find image creation events.
  • Then we match the image names with the list of keywords from a CSV file (also called a lookup).
  • Lastly, we filter the events on ones where we have a match against the lookup and we rename some of the files to make it easier to read.

SPL for Suspicious Container Image Name

AWS Data

First we find container creation events

GCP Data

First we find container creation events

Azure Data

First we find container creation events