Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1612 | Build Image on Host |
| AC-02 | Account Management | Protects | T1612 | Build Image on Host |
| AC-03 | Access Enforcement | Protects | T1612 | Build Image on Host |
| AC-06 | Least Privilege | Protects | T1612 | Build Image on Host |
| CA-08 | Penetration Testing | Protects | T1612 | Build Image on Host |
| CM-06 | Configuration Settings | Protects | T1612 | Build Image on Host |
| CM-07 | Least Functionality | Protects | T1612 | Build Image on Host |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1612 | Build Image on Host |
| SA-11 | Developer Testing and Evaluation | Protects | T1612 | Build Image on Host |
| SC-07 | Boundary Protection | Protects | T1612 | Build Image on Host |
| SI-04 | System Monitoring | Protects | T1612 | Build Image on Host |