From e327248278ffaae900d84c71089057c5db029157 Mon Sep 17 00:00:00 2001
From: well123cs <119821998+well123cs@users.noreply.github.com>
Date: Fri, 17 Mar 2023 15:21:40 -0700
Subject: [PATCH 1/3] Add files via upload

---
 atomics/T1612/T1612.yaml     | 30 ++++++++++++++++++++++++++++++
 atomics/T1612/src/Dockerfile |  9 +++++++++
 atomics/T1612/src/test.sh    |  4 ++++
 3 files changed, 43 insertions(+)
 create mode 100644 atomics/T1612/T1612.yaml
 create mode 100644 atomics/T1612/src/Dockerfile
 create mode 100644 atomics/T1612/src/test.sh

diff --git a/atomics/T1612/T1612.yaml b/atomics/T1612/T1612.yaml
new file mode 100644
index 00000000..47d287dc
--- /dev/null
+++ b/atomics/T1612/T1612.yaml
@@ -0,0 +1,30 @@
+attack_technique: T1612
+display_name: "Build Image on Host"
+atomic_tests:
+- name: Build Image On Host
+  auto_generated_guid: 
+  description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry.
+  supported_platforms:
+  - containers
+  dependency_executor_name: sh
+  dependencies: 
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+  
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  executor:
+    command: |-
+      docker build -t t1612  $PathtoAtomicsFolder/T1613/src/
+      docker run --name t1612_container  -d -t t1612
+      docker exec t1612_container ./test.sh
+    cleanup_command: |-
+      docker stop t1612_container
+      docker rmi -f t1612
+    name: sh
diff --git a/atomics/T1612/src/Dockerfile b/atomics/T1612/src/Dockerfile
new file mode 100644
index 00000000..7e324ff1
--- /dev/null
+++ b/atomics/T1612/src/Dockerfile
@@ -0,0 +1,9 @@
+FROM ubuntu:20.04
+WORKDIR /
+LABEL key="CyberSecurity_project"
+RUN echo "CyberSecurity_project"
+RUN apt update && apt install -y git
+COPY test.sh /test.sh
+RUN chmod +x /test.sh
+ENTRYPOINT ["tail", "-f", "/dev/null"]
+
diff --git a/atomics/T1612/src/test.sh b/atomics/T1612/src/test.sh
new file mode 100644
index 00000000..d94dd1e6
--- /dev/null
+++ b/atomics/T1612/src/test.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+
+echo "You have been hacked"
+

From 1ca680d0d519b11547089ffc12f1af2db50126ce Mon Sep 17 00:00:00 2001
From: well123cs <119821998+well123cs@users.noreply.github.com>
Date: Fri, 17 Mar 2023 16:58:50 -0700
Subject: [PATCH 2/3] Update T1612.yaml

---
 atomics/T1612/T1612.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/atomics/T1612/T1612.yaml b/atomics/T1612/T1612.yaml
index 47d287dc..ffed1670 100644
--- a/atomics/T1612/T1612.yaml
+++ b/atomics/T1612/T1612.yaml
@@ -2,18 +2,18 @@ attack_technique: T1612
 display_name: "Build Image on Host"
 atomic_tests:
 - name: Build Image On Host
-  auto_generated_guid: 
-  description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry.
+  auto_generated_guid:
+  description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
   supported_platforms:
   - containers
   dependency_executor_name: sh
-  dependencies: 
+  dependencies:
   - description: Verify docker is installed.
     prereq_command: |
       which docker
     get_prereq_command: |
       if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
-  
+
   - description: Verify docker service is running.
     prereq_command: |
       sudo systemctl status docker  --no-pager
@@ -21,7 +21,7 @@ atomic_tests:
       sudo systemctl start docker
   executor:
     command: |-
-      docker build -t t1612  $PathtoAtomicsFolder/T1613/src/
+      docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
       docker run --name t1612_container  -d -t t1612
       docker exec t1612_container ./test.sh
     cleanup_command: |-

From 63145c41f809e5d22689c90c8d7e03a648c976a1 Mon Sep 17 00:00:00 2001
From: well123cs <119821998+well123cs@users.noreply.github.com>
Date: Wed, 29 Mar 2023 18:33:10 -0700
Subject: [PATCH 3/3] Update T1612.yaml

---
 atomics/T1612/T1612.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/atomics/T1612/T1612.yaml b/atomics/T1612/T1612.yaml
index ffed1670..752d760c 100644
--- a/atomics/T1612/T1612.yaml
+++ b/atomics/T1612/T1612.yaml
@@ -2,7 +2,6 @@ attack_technique: T1612
 display_name: "Build Image on Host"
 atomic_tests:
 - name: Build Image On Host
-  auto_generated_guid:
   description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
   supported_platforms:
   - containers