Skip to content

Hide Navigation Hide TOC

Image Creation (b008766d-f34f-4ded-b712-659f59aaed6e)

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:

  • Azure Compute Service Image Creation
    • Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM
  • AWS EC2 AMI (Amazon Machine Image) Creation
    • Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"
  • Google Cloud Compute Engine Image Creation
    • Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a
  • VMware vSphere
    • Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.

This data component can be collected through the following measures:

Enable Cloud Platform Logging

  • Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to Microsoft.Compute/images.
  • AWS: Use AWS CloudTrail to monitor CreateImage API calls.
  • Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under compute.googleapis.com/images.

API Monitoring

  • Monitor API activity to track the creation of new images using:
    • AWS SDK/CLI CreateImage.
    • Azure REST API for image creation.
    • Google Cloud Compute Engine APIs.

Cloud SIEM Integration

  • Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.
Cluster A Galaxy A Cluster B Galaxy B Level
Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern Image Creation (b008766d-f34f-4ded-b712-659f59aaed6e) mitre-data-component 1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern Image Creation (b008766d-f34f-4ded-b712-659f59aaed6e) mitre-data-component 1
Image Creation (b008766d-f34f-4ded-b712-659f59aaed6e) mitre-data-component User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Image Creation (b008766d-f34f-4ded-b712-659f59aaed6e) mitre-data-component Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2