Merge pull request #2255 from aman143kri/dockerdeploy

Added Deploying a docker

atomics/T1610/T1610.yaml

@@ -0,0 +1,35 @@
+---
+attack_technique: T1610
+display_name: "Deploy a container"
+
+atomic_tests:
+- name: Deploy Docker container
+  description: |
+    Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique. 
+
+  supported_platforms:
+  - containers
+  
+  dependency_executor_name: sh
+  dependencies: 
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+  
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  
+
+  executor:
+    command: |
+      docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
+      docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
+    name: bash
+    cleanup_command: |
+      docker stop t1610_container
+      docker rmi -f t1610:latest 

atomics/T1610/src/dockerfile

@@ -0,0 +1,5 @@
+FROM ubuntu
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN  echo "1" > /tmp/output.txt && \
+     echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh