T1612 Build Image on Host Mappings

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1612 Build Image on Host
AC-2 Account Management Protects T1612 Build Image on Host
AC-3 Access Enforcement Protects T1612 Build Image on Host
AC-6 Least Privilege Protects T1612 Build Image on Host
CA-8 Penetration Testing Protects T1612 Build Image on Host
CM-6 Configuration Settings Protects T1612 Build Image on Host
CM-7 Least Functionality Protects T1612 Build Image on Host
RA-5 Vulnerability Monitoring and Scanning Protects T1612 Build Image on Host
SA-11 Developer Testing and Evaluation Protects T1612 Build Image on Host
SC-7 Boundary Protection Protects T1612 Build Image on Host
SI-4 System Monitoring Protects T1612 Build Image on Host
action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host