Implant Internal Image

Info

ID: AT-DC005
Tactic: Deepening Control

Implant Internal Image

Adversaries may create or alter container images stored in the organization's internal registry so that when new services deploy or scale, they automatically run malicious code. By embedding backdoors, cryptominers, or other harmful scripts into images that developers assume are trusted, attackers ensure the repeated reintroduction of malicious workloads. These implants often leverage official or well-established base images to disguise their modifications.

In large microservice architectures, images are constantly pulled as part of auto-scaling or environment refreshes. A compromised base image can spread quickly across multiple services, complicating cleanup. Until defenders identify and remove every infected image (and references to it in deployment scripts), adversaries can persist at scale without needing additional external injection points.