1. Home
  2. ATT&CK Techniques
  3. T1612 Build Image on Host

T1612 Build Image on Host

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1612 Build Image on Host
Comments
This diagnostic statement protects against Build Image on Host through the use of privileged account management and the use of multi-factor authentication.
References
    PR.IR-01.01 Network segmentation Mitigates T1612 Build Image on Host
    Comments
    This diagnostic statement protects against Build Image on Host through the use of network segmentation, firewalls, secure network configuration, defense-in-depth and access isolation principles. Employing defense-in-depth and access isolation principles provides protection against adversaries attempting to build image on host.
    References
      PR.PS-01.09 Virtualized end point protection Mitigates T1612 Build Image on Host
      Comments
      The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. Mitigating mechanisms such as network segmentation, limiting access to resources over the network, and privileged account management may aid in limiting malicious images with direct remote access to internal systems through the use of network proxies, gateways, privileged accounts, and firewalls.
      References
        PR.IR-01.02 Network device configurations Mitigates T1612 Build Image on Host
        Comments
        This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from building container images on hosts.
        References
          PR.IR-01.03 Network communications integrity and availability Mitigates T1612 Build Image on Host
          Comments
          This diagnostic statement protects against Build Image on Host through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
          References
            PR.IR-01.05 Remote access protection Mitigates T1612 Build Image on Host
            Comments
            This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
            References
              PR.PS-01.08 End-user device protection Mitigates T1612 Build Image on Host
              Comments
              This diagnostic statement protects against Build Image on Host through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
              References

                NIST 800-53 Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                CM-06 Configuration Settings mitigates T1612 Build Image on Host
                AC-17 Remote Access mitigates T1612 Build Image on Host
                RA-05 Vulnerability Monitoring and Scanning mitigates T1612 Build Image on Host
                CM-02 Baseline Configuration mitigates T1612 Build Image on Host
                SA-11 Developer Testing and Evaluation mitigates T1612 Build Image on Host
                CM-07 Least Functionality mitigates T1612 Build Image on Host
                SI-04 System Monitoring mitigates T1612 Build Image on Host
                AC-02 Account Management mitigates T1612 Build Image on Host
                AC-03 Access Enforcement mitigates T1612 Build Image on Host
                AC-06 Least Privilege mitigates T1612 Build Image on Host
                SC-07 Boundary Protection mitigates T1612 Build Image on Host

                VERIS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1612 Build Image on Host
                action.malware.variety.Unknown Unknown related-to T1612 Build Image on Host

                Azure Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                alerts_for_windows_machines Alerts for Windows Machines technique_scores T1612 Build Image on Host
                Comments
                This capability can detect execution of commands related to container creation.
                References
                1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
                2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
                defender_for_containers Microsoft Defender for Containers technique_scores T1612 Build Image on Host
                Comments
                This capability can detect building a container image on the host.
                References
                1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction
                defender_for_containers Microsoft Defender for Containers technique_scores T1612 Build Image on Host
                Comments
                This capability can protect against building a container image on the host.
                References
                1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction

                GCP Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                binary_authorization Binary Authorization technique_scores T1612 Build Image on Host
                Comments
                Each container image generated has a signer digitally sign using a private key to generate the attestation report. At deploy time, the enforcer uses the attester's public key to verify the signature or will block this process.
                References
                1. ['https://cloud.google.com/binary-authorization/docs/overview'
                2. 'https://cloud.google.com/binary-authorization/docs/attestations']