Bhavin Patel
@@ -0,0 +1,29 @@
|
||||
attack_technique: T1612
|
||||
display_name: "Build Image on Host"
|
||||
atomic_tests:
|
||||
- name: Build Image On Host
|
||||
description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: |
|
||||
which docker
|
||||
get_prereq_command: |
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: |
|
||||
sudo systemctl status docker --no-pager
|
||||
get_prereq_command: |
|
||||
sudo systemctl start docker
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
||||
docker run --name t1612_container -d -t t1612
|
||||
docker exec t1612_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1612_container
|
||||
docker rmi -f t1612
|
||||
name: sh
|
||||
@@ -0,0 +1,9 @@
|
||||
FROM ubuntu:20.04
|
||||
WORKDIR /
|
||||
LABEL key="CyberSecurity_project"
|
||||
RUN echo "CyberSecurity_project"
|
||||
RUN apt update && apt install -y git
|
||||
COPY test.sh /test.sh
|
||||
RUN chmod +x /test.sh
|
||||
ENTRYPOINT ["tail", "-f", "/dev/null"]
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
#!/usr/bin/bash
|
||||
|
||||
echo "You have been hacked"
|
||||
|
||||
Reference in New Issue
Block a user