# T1612 - Build Image on Host

## Description from ATT&CK

> Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
> 
> An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

[Source](https://attack.mitre.org/techniques/T1612)

## Atomic Tests

- [Atomic Test #1: Build Image On Host](#atomic-test-1-build-image-on-host)

### Atomic Test #1: Build Image On Host

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.

**Supported Platforms:** Containers

**auto_generated_guid:** `2db30061-589d-409b-b125-7b473944f9b3`

#### Attack Commands: Run with `sh`!

```sh
docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
docker run --name t1612_container --rm -d -t t1612
docker exec t1612_container ./test.sh
```

#### Cleanup Commands

```sh
docker stop t1612_container
docker rmi -f t1612
```

#### Dependencies: Run with `sh`!

##### Description: Verify docker is installed.

###### Check Prereq Commands

```sh
which docker
```

###### Get Prereq Commands

```sh
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
```

##### Description: Verify docker service is running.

###### Check Prereq Commands

```sh
sudo systemctl status docker  --no-pager
```

###### Get Prereq Commands

```sh
sudo systemctl start docker
```