ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1525

术语表: /attack/glossary

注入容器镜像

Amazon Web Service(AWS)Amazon Machine Images(AMI),Google Cloud Platform(GCP)映像和Azure Images以及流行的容器运行时(例如Docker)都可以植入或后门以包含恶意代码。根据基础结构的配置方式,如果指示基础结构配置工具始终使用最新映像,则可以提供持久访问。

已经开发了一种工具来促进在云容器镜像中种植后门。如果攻击者有权访问受感染的AWS实例,并且有权列出可用的容器映像,则他们可能会植入后门,例如Web Shell。攻击者还可能植入可能在云部署中无意中使用的Docker映像,这在某些加密挖矿僵尸网络实例中已有报道。

Implant Container Image

Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored to include malicious code. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.

A tool has been developed to facilitate planting backdoors in cloud container images.If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a web shell.Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets

标签

ID编号: T1525

策略: 持久性

平台: GCP,Azure,AWS

所需权限: user

缓解措施

减轻 描述
审计 (M1047) 定期检查云部署中使用的映像和容器的完整性,以确保未对其进行修改以包括恶意软件。
代码签名(M1045) 一些云服务提供商支持内容信任模型,这些模型要求容器映像由受信任的源签名。
特权账户管理 (M1026) 根据最小特权原则,限制与创建和修改平台映像或容器相关的权限。
Mitigation Description
Audit (M1047) Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.
Code Signing (M1045) Several cloud service providers support content trust models that require container images be signed by trusted sources. [4] [5]
Privileged Account Management (M1026) Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.

检测

监视用户与镜像和容器的交互,以识别异常添加或修改的镜像和容器。

Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.