Skip to content

Compromised image In registry


ID: MS-TA9002
Tactic: Initial Access
MITRE technique: T1195.002, T1525

Running a compromised image in a cluster can compromise the cluster. Attackers who get access to a private registry can plant their own compromised images in the registry. The latter can then be pulled by a user. In addition, users often use untrusted images from public registries (such as Docker Hub) that may be malicious.


ID Mitigation Description
MS-M9004 Secure CI/CD environment Placing gates in the CI\CD process can block pushing unsecured code to container images.
MS-M9005 Image Assurance Policy Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters.