Triggers
- After enumerating ECR repositories and enumerating the images within those repositories, the attacker requests an authorization token for an image.
Possible Root Causes
- An attacker is inserting a backdoor into an existing image.
- An ECR administrator is making an authorized change to the image.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
- An inserted backdoor may provide hidden access persistence within the environment, allowing attackers to return to the environment after eviction.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.