AlbertoPellitteri
4a11a17dba
* Adding the docker rm option * Undoing the md file fix --------- Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
31 lines
1.4 KiB
YAML
31 lines
1.4 KiB
YAML
attack_technique: T1612
|
|
display_name: "Build Image on Host"
|
|
atomic_tests:
|
|
- name: Build Image On Host
|
|
auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
|
|
description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
|
|
supported_platforms:
|
|
- containers
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: Verify docker is installed.
|
|
prereq_command: |
|
|
which docker
|
|
get_prereq_command: |
|
|
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
|
|
|
- description: Verify docker service is running.
|
|
prereq_command: |
|
|
sudo systemctl status docker --no-pager
|
|
get_prereq_command: |
|
|
sudo systemctl start docker
|
|
executor:
|
|
command: |-
|
|
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
|
docker run --name t1612_container --rm -d -t t1612
|
|
docker exec t1612_container ./test.sh
|
|
cleanup_command: |-
|
|
docker stop t1612_container
|
|
docker rmi -f t1612
|
|
name: sh
|