Name:AWS ECR Container Upload Outside Business Hours id:d4c4d4eb-3994-41ca-a25e-a82d64e125bb version:4 date:2024-09-30 author:Patrick Bareiss, Splunk status:production type:Anomaly Description:The following analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours. It leverages AWS CloudTrail logs to identify `PutImage` events occurring between 8 PM and 8 AM or on weekends. This activity is significant because container uploads outside business hours can indicate unauthorized or suspicious activity, potentially pointing to a compromised account or insider threat. If confirmed malicious, this could allow an attacker to deploy unauthorized or malicious containers, leading to potential data breaches or service disruptions. Data_source:
-AWS CloudTrail PutImage
search:`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:When your development is spreaded in different time zones, applying this rule can be difficult. References: -https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Dev Sec Ops' asset_type:AWS Account confidence:70 impact:70 message:Container uploaded outside business hours from $user$ mitre_attack_id: - 'T1204.003' - 'T1204' observable: name:'src_ip' type:'IP Address' - role: - 'Attacker' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'eventSource' - 'eventName' - 'awsRegion' - 'requestParameters.imageTag' - 'requestParameters.registryId' - 'requestParameters.repositoryName' - 'user' - 'userName' - 'src_ip' risk_score:49 security_domain:network
