T1612 Build Image on Host Mappings

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1612 Build Image on Host
AC-02 Account Management Protects T1612 Build Image on Host
AC-03 Access Enforcement Protects T1612 Build Image on Host
AC-06 Least Privilege Protects T1612 Build Image on Host
CA-08 Penetration Testing Protects T1612 Build Image on Host
CM-06 Configuration Settings Protects T1612 Build Image on Host
CM-07 Least Functionality Protects T1612 Build Image on Host
RA-05 Vulnerability Monitoring and Scanning Protects T1612 Build Image on Host
SA-11 Developer Testing and Evaluation Protects T1612 Build Image on Host
SC-07 Boundary Protection Protects T1612 Build Image on Host
SI-04 System Monitoring Protects T1612 Build Image on Host