Build Image on Host

Information

• Name: Build Image on Host

• ID: T1612

• Tactics:

Introduction

"Build Image on Host" is a technique categorized under the MITRE ATT&CK framework (Technique ID: T1612). It refers to adversaries building container images directly on compromised hosts to facilitate malicious activities. By leveraging existing tools or installing their own, attackers create custom container images that embed malicious payloads or backdoors. This allows them to execute further attacks, maintain persistence, or escalate privileges within the compromised environment.

Deep Dive Into Technique

This technique involves adversaries leveraging containerization technologies, such as Docker or Kubernetes, to create container images directly on compromised host systems. The attackers typically follow these steps:

1. Initial Access and Privilege Escalation:

   • Adversaries first gain access to a host with container runtime installed.

   • They may exploit vulnerabilities, use compromised credentials, or leverage misconfigurations to achieve elevated privileges.

2. Preparation of Malicious Components:

   • Attackers prepare malicious payloads, scripts, or binaries.

   • Payloads can include backdoors, cryptominers, ransomware, or tools for lateral movement and data exfiltration.

3. Container Image Creation:

   • Attackers use container runtime tools (e.g., Docker CLI commands such as docker build) to create container images locally.

   • Malicious components are integrated into container images via Dockerfiles or direct command-line instructions.

4. Deployment and Execution:

   • Newly built malicious container images are executed using commands like docker run.

   • Containers may be configured to restart automatically, ensuring persistence across reboots.

5. Obfuscation and Cleanup:

   • Attackers may remove build files, Dockerfiles, or logs to hide their activities.

   • Images may be tagged with benign-looking labels to evade suspicion.

Real-world procedures might also include:

• Leveraging compromised registries or self-hosted registries to store and distribute malicious images.

• Modifying existing legitimate container images by injecting malicious code or binaries.

When this Technique is Usually Used

Attackers typically utilize the "Build Image on Host" technique in various attack scenarios and stages, including:

• Persistence:

  • Creating persistent footholds in compromised environments by embedding malicious payloads in containers that restart automatically.

• Privilege Escalation:

  • Building images with privileged container configurations to escalate privileges or bypass security controls.

• Execution and Lateral Movement:

  • Deploying containers that execute malicious scripts or binaries, allowing attackers to move laterally within containerized environments.

• Defense Evasion:

  • Using containerization to encapsulate malicious activities, making detection and attribution more difficult.

• Resource Hijacking:

  • Deploying cryptominers or resource-intensive malware within containers to exploit host resources discreetly.

• Data Exfiltration:

  • Containers can serve as isolated environments for staging and exfiltrating sensitive data, reducing detection likelihood.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) for the "Build Image on Host" technique include:

• Monitoring Container Runtime Logs:

  • Inspect Docker daemon logs (/var/log/docker.log or system-specific locations).

  • Identify unusual container image builds and executions.

• File Integrity Monitoring (FIM):

  • Detect changes to Dockerfiles or container image build scripts.

  • Track unexpected file creations or modifications in container-related directories (/var/lib/docker, /etc/docker).

• Process Monitoring and Auditing:

  • Utilize tools such as Auditd, Sysmon for Linux, or Endpoint Detection and Response (EDR) solutions to monitor suspicious process executions (docker build, docker run).

  • Establish baselines for normal container-related operations and alert on deviations.

• Network Monitoring:

  • Detect anomalous network connections initiated by containers.

  • Monitor traffic to external registries or suspicious IP addresses/domains.

• Behavioral Analytics and SIEM Solutions:

  • Correlate events from multiple sources (logs, network, endpoint) to identify abnormal container-related activities.

  • Alert on suspicious patterns, such as rapid container image builds followed by immediate execution or deletion.

Specific IoCs include:

• Unrecognized or suspicious container images appearing locally without proper approval.

• Containers running unusual binaries, scripts, or processes.

• Unexpected resource usage spikes (CPU, memory, network bandwidth) by container processes.

• Logs indicating attempts to pull or push container images to unauthorized registries.

Why it is Important to Detect This Technique

Early detection of the "Build Image on Host" technique is crucial due to the following potential impacts on systems and networks:

• Persistence and Stealth:

  • Containers provide attackers a persistent and isolated environment, making it challenging to detect and remove malicious footholds.

• Resource Abuse:

  • Malicious containers can consume significant system resources, leading to performance degradation, service disruption, or denial-of-service conditions.

• Privilege Escalation:

  • Containers configured with elevated privileges can allow attackers to escalate to host-level privileges, potentially compromising the entire host or cluster.

• Data Theft and Exfiltration:

  • Containers can serve as staging areas for sensitive data, facilitating covert data exfiltration and sensitive information leakage.

• Lateral Movement:

  • Attackers can leverage containers to move laterally within containerized environments, compromising additional hosts, services, or cloud resources.

• Difficulty in Attribution and Remediation:

  • Containerization can obscure attacker activities, complicating forensic investigations and remediation efforts.

Early detection enables:

• Rapid incident response and containment.

• Minimization of potential damage and disruption.

• Improved forensic analysis and attribution capabilities.

• Strengthening of security posture by addressing containerization-related vulnerabilities or misconfigurations.

Examples

Real-world examples of the "Build Image on Host" technique include:

• TeamTNT Attacks:

  • Attack Scenario:

    • Attackers compromised Docker hosts exposed to the internet.

    • Built and deployed malicious container images containing cryptocurrency miners and backdoors.

  • Tools Used:

    • Docker CLI, malicious Dockerfiles, cryptominers (XMRig), reverse shells.

  • Impacts:

    • Resource exhaustion, unauthorized mining of cryptocurrency, persistence, and potential lateral movement.

• Doki Malware Campaign:

  • Attack Scenario:

    • Attackers exploited misconfigured Docker APIs to gain initial access.

    • Built malicious container images embedding Doki malware for command-and-control (C2) communications.

  • Tools Used:

    • Docker CLI, malicious container images, Doki malware, ngrok tunneling.

  • Impacts:

    • Persistent backdoor access, compromised host resources, covert data exfiltration, and command-and-control operations.

• Siloscape Malware:

  • Attack Scenario:

    • Targeted Kubernetes clusters by exploiting container runtime vulnerabilities.

    • Built and deployed malicious container images designed explicitly to escape container isolation and compromise host nodes.

  • Tools Used:

    • Docker and Kubernetes runtime tools, Siloscape malware, reverse shells.

  • Impacts:

    • Container escape, host-level compromise, lateral movement within Kubernetes clusters, persistence, and extensive privilege escalation.

These examples illustrate attackers' ability to leverage container technologies for malicious purposes and underscore the importance of monitoring and securing containerized environments.