Description
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.
Platforms
Mitigations (4)
Limit Access to Resource Over NetworkM1035
Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API on port 2375. Instead, communicate with the Docker API over TLS on port 2376.(Citation: Docker Daemon Socket Protect)
Privileged Account ManagementM1026
Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.(Citation: Kubernetes Hardening Guide)
Network SegmentationM1030
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
AuditM1047
Audit images deployed within the environment to ensure they do not contain any malicious components.
References
- Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.
- Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.
- Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.
Frequently Asked Questions
What is T1612 (Build Image on Host)?
T1612 is a MITRE ATT&CK technique named 'Build Image on Host'. It belongs to the Stealth tactic(s). Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent...
How can T1612 be detected?
Detection of T1612 (Build Image on Host) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1612?
There are 4 documented mitigations for T1612. Key mitigations include: Limit Access to Resource Over Network, Privileged Account Management, Network Segmentation, Audit.
Which threat groups use T1612?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.