---
attack_technique: T1610
display_name: "Deploy a container"

atomic_tests:
- name: Deploy Docker container
  auto_generated_guid: 59aa6f26-7620-417e-9318-589e0fb7a372
  description: |
    Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique. 

  supported_platforms:
  - containers
  
  dependency_executor_name: sh
  dependencies: 
  - description: Verify docker is installed.
    prereq_command: |
      which docker
    get_prereq_command: |
      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
  
  - description: Verify docker service is running.
    prereq_command: |
      sudo systemctl status docker  --no-pager
    get_prereq_command: |
      sudo systemctl start docker
  

  executor:
    command: |
      docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
      docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
    name: bash
    cleanup_command: |
      docker stop t1610_container
      docker rmi -f t1610:latest