Merge branch 'master' into T1562.003

2023-04-13 10:36:34 -04:00
parent 9f363c905c fbdc0c4669
commit 2a8a2b04b6
29 changed files with 238 additions and 15 deletions
@@ -12,7 +12,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
-          python-version: '3.12' 
+          python-version: '3.11.2' 
          cache: 'poetry'
      - name: Generate shields.io URL
        run: python generate_shield.py atomics/
@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
@@ -14,3 +14,4 @@ privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
@@ -285,6 +285,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
+defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -70,7 +70,8 @@
  - Atomic Test #1: Deploy Docker container [containers]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1612 Build Image on Host](../../T1612/T1612.md)
+  - Atomic Test #1: Build Image On Host [containers]
 - T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -397,7 +397,8 @@
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1612 Build Image on Host](../../T1612/T1612.md)
+  - Atomic Test #1: Build Image On Host [containers]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -112,7 +112,7 @@
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -7862,6 +7862,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7800,7 +7800,45 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
-    atomic_tests: []
+      identifier: T1612
+    atomic_tests:
+    - name: Build Image On Host
+      auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+      description: Adversaries may build a container image directly on a host to bypass
+        defenses that monitor for the retrieval of malicious images from a public
+        registry. An adversary may take advantage of that build API to build a custom
+        image on the host that includes malware downloaded from their C2 server, and
+        then they then may utilize Deploy Container using that custom image.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+          docker run --name t1612_container  -d -t t1612
+          docker exec t1612_container ./test.sh
+        cleanup_command: |-
+          docker stop t1612_container
+          docker rmi -f t1612
+        name: sh
  T1055.002:
    technique:
      x_mitre_platforms:
@@ -26814,6 +26852,10 @@ execution:
          description: Command to run
          type: string
          default: uname
+        path:
+          description: Path to busybox.yaml file
+          type: string
+          default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
      dependencies:
      - description: 'kubectl must be installed

@@ -26826,7 +26868,9 @@ execution:
          '
      executor:
        command: |
-          kubectl create -f src/busybox.yaml -n #{namespace}
+          kubectl create -f #{path} -n #{namespace}
+          # wait 3 seconds for the instance to come up
+          sleep 3
          kubectl exec -n #{namespace} busybox -- #{command}
        cleanup_command: 'kubectl delete pod busybox -n #{namespace}

@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -15268,7 +15268,45 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
-    atomic_tests: []
+      identifier: T1612
+    atomic_tests:
+    - name: Build Image On Host
+      auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+      description: Adversaries may build a container image directly on a host to bypass
+        defenses that monitor for the retrieval of malicious images from a public
+        registry. An adversary may take advantage of that build API to build a custom
+        image on the host that includes malware downloaded from their C2 server, and
+        then they then may utilize Deploy Container using that custom image.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+          docker run --name t1612_container  -d -t t1612
+          docker exec t1612_container ./test.sh
+        cleanup_command: |-
+          docker stop t1612_container
+          docker rmi -f t1612
+        name: sh
  T1055.002:
    technique:
      x_mitre_platforms:
@@ -46394,6 +46432,10 @@ execution:
          description: Command to run
          type: string
          default: uname
+        path:
+          description: Path to busybox.yaml file
+          type: string
+          default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
      dependencies:
      - description: 'kubectl must be installed

@@ -46406,7 +46448,9 @@ execution:
          '
      executor:
        command: |
-          kubectl create -f src/busybox.yaml -n #{namespace}
+          kubectl create -f #{path} -n #{namespace}
+          # wait 3 seconds for the instance to come up
+          sleep 3
          kubectl exec -n #{namespace} busybox -- #{command}
        cleanup_command: 'kubectl delete pod busybox -n #{namespace}

@@ -9568,6 +9568,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -8920,6 +8920,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -7766,6 +7766,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -13083,6 +13083,7 @@ defense-evasion:
      x_mitre_permissions_required:
      - User
      - root
+      identifier: T1612
    atomic_tests: []
  T1055.002:
    technique:
@@ -30,13 +30,16 @@ Attackers who have permissions, can run malicious commands in containers in the
 |------|-------------|------|---------------|
 | namespace | K8s namespace to use | string | default|
 | command | Command to run | string | uname|
+| path | Path to busybox.yaml file | string | $PathtoAtomicsFolder/T1609/src/busybox.yaml|


 #### Attack Commands: Run with `bash`! 


 ```bash
-kubectl create -f src/busybox.yaml -n #{namespace}
+kubectl create -f #{path} -n #{namespace}
+# wait 3 seconds for the instance to come up
+sleep 3
 kubectl exec -n #{namespace} busybox -- #{command}
 ```

@@ -16,6 +16,10 @@ atomic_tests:
      description: Command to run
      type: string
      default: uname
+    path:
+      description: Path to busybox.yaml file
+      type: string
+      default: $PathtoAtomicsFolder/T1609/src/busybox.yaml  
  dependencies:
  - description: |
      kubectl must be installed
@@ -25,7 +29,9 @@ atomic_tests:
      which kubectl
  executor:
    command: |
-      kubectl create -f src/busybox.yaml -n #{namespace}
+      kubectl create -f #{path} -n #{namespace}
+      # wait 3 seconds for the instance to come up
+      sleep 3
      kubectl exec -n #{namespace} busybox -- #{command}
    cleanup_command: |
      kubectl delete pod busybox -n #{namespace}
@@ -5,10 +5,10 @@ metadata:
 spec:
  containers:
  - name: busybox
-    image: busybox:stable
-    imagePullPolicy: IfNotPresent
+    image: busybox
+    imagePullPolicy: Always
    command:
    - /bin/sh
    - -c
    - while true; do sleep 30; done;
-  restartPolicy: OnFailure
+  restartPolicy: OnFailure
@@ -0,0 +1,67 @@
+# T1612 - Build Image on Host
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1612)
+<blockquote>Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
+
+An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Build Image On Host](#atomic-test-1---build-image-on-host)
+
+
+<br/>
+
+## Atomic Test #1 - Build Image On Host
+Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 2db30061-589d-409b-b125-7b473944f9b3
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+docker run --name t1612_container  -d -t t1612
+docker exec t1612_container ./test.sh
+```
+
+#### Cleanup Commands:
+```sh
+docker stop t1612_container
+docker rmi -f t1612
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify docker is installed.
+##### Check Prereq Commands:
+```sh
+which docker
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+```
+##### Description: Verify docker service is running.
+##### Check Prereq Commands:
+```sh
+sudo systemctl status docker  --no-pager
+```
+##### Get Prereq Commands:
+```sh
+sudo systemctl start docker
+```
+
+
+
+
+<br/>
@@ -0,0 +1,30 @@
+attack_technique: T1612
+display_name: "Build Image on Host"
+atomic_tests:
+- name: Build Image On Host
+  auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+  description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
+  supported_platforms:
+  - containers
+  dependency_executor_name: sh
+  dependencies:
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  executor:
+    command: |-
+      docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+      docker run --name t1612_container  -d -t t1612
+      docker exec t1612_container ./test.sh
+    cleanup_command: |-
+      docker stop t1612_container
+      docker rmi -f t1612
+    name: sh
@@ -0,0 +1,9 @@
+FROM ubuntu:20.04
+WORKDIR /
+LABEL key="CyberSecurity_project"
+RUN echo "CyberSecurity_project"
+RUN apt update && apt install -y git
+COPY test.sh /test.sh
+RUN chmod +x /test.sh
+ENTRYPOINT ["tail", "-f", "/dev/null"]
+
@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+
+echo "You have been hacked"
+
@@ -1291,3 +1291,4 @@ c3a377f9-1203-4454-aa35-9d391d34768f
 fb4151a2-db33-4f8c-b7f8-78ea8790f961
 adae83d3-0df6-45e7-b2c3-575f91584577
 e3ad8e83-3089-49ff-817f-e52f8c948090
+2db30061-589d-409b-b125-7b473944f9b3