Image Metadata Inspection
Image Metadata Inspection is a reconnaissance subtechnique where attackers analyze embedded metadata in images to gather information about an application's infrastructure, dependencies, and potential security vulnerabilities. During the Application Dependencies Mapping phase, adversaries examine EXIF data, comments, and other hidden information within images hosted on web applications or distributed through software packages. This metadata can reveal server paths, component versions, user information, geolocation data, camera specifics, and timestamps that help attackers build a comprehensive understanding of the target environment. By extracting this information, attackers can identify outdated dependencies vulnerable to exploitation, map internal directory structures, determine software versions in use, and potentially discover sensitive information inadvertently left in production images. This technique is particularly valuable for reconnaissance as it provides insights with minimal interaction with the target system, often requiring only passive access to publicly available resources.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1030 | Network Segmentation | Restrict unauthenticated docker pull / crictl access to internal registries; expose only token-gated endpoints. |
| M1057 | Data Loss Prevention | Remove sensitive ENV labels, build args, or history layers before publishing public container images. |
Detection
Image‐metadata inspection generally occurs on public container registries or image hosting services, beyond the scope of enterprise sensors.
Limited insight can come from:
- Registry download metrics if the organisation controls the registry and reviews anonymous pull statistics or access logs.
- Threat-intel monitoring that tracks automated
skopeo inspect/docker manifestcrawling campaigns targeting the organisation’s images. - Subsequent malicious activity that leverages build arguments or ENV variables discovered in image metadata.