Skip to main content

AWS ECR image uploaded

ID:aws_ecr_image_uploaded
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0002:T1204.003

Description

AlphaSOC detected that an image to Elastic Container Registry (ECR) has been unexpectedly uploaded. This activity suggests potential malicious intent, such as preparing for container-based attacks, establishing persistence, or poisoning the CI/CD pipeline. While ECR image uploads are common in cloud environments, they can also be leveraged by adversaries to introduce malicious containers. Actions initiated by AWS services are exempt from the detection to avoid false positives.

Impact

Uploading malicious images to ECR can lead to the execution of unauthorized code within the cloud environment. This can result in data breaches, resource hijacking, lateral movement within the network, or serve as a foothold for further attacks. Compromised container images may also be used to exfiltrate sensitive data or mine cryptocurrency.

Severity

SeverityCondition
Low
ECR image uploaded unexpectedly

Investigation and Remediation

Investigate the source and content of the uploaded image. Verify if the upload was authorized and performed by a legitimate user. Scan the image for vulnerabilities and malware. If the image is determined to be malicious, remove it from ECR immediately. Review access logs and user permissions for ECR. If compromise is confirmed, rotate credentials and review other potentially affected resources.