Use the searches in this story to monitor your Kub...

Description

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

MITRE ATT&CK Techniques

No MITRE techniques specified for this dataset.

Environment Details

Datasets

The following datasets were collected during this attack simulation:

Dataset_1

• Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1525/container_implant/container_implant_1.json
• Sourcetype: aws:cloudtrail
• Source: aws:cloudtrail

Dataset_2

• Path: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1525/container_implant/container_implant_2.json
• Sourcetype: unknown
• Source: unknown

Related Detections

No specific detections currently use this attack data for testing. However, you can find related detections and analytics in our security content repository.

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1525/container_implant/container_implant_1.json --index attack_data

Manual Import

1. Download the dataset files from the paths listed above
2. Configure your Splunk instance with the appropriate sourcetypes
3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0