Skip to content

Commit

Permalink
Merge pull request #1 from well123cs/t1612-1
Browse files Browse the repository at this point in the history
T1612
well123cs authored Mar 18, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
2 parents c967af1 + 1ca680d commit 15384a3
Showing 3 changed files with 43 additions and 0 deletions.
30 changes: 30 additions & 0 deletions atomics/T1612/T1612.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
attack_technique: T1612
display_name: "Build Image on Host"
atomic_tests:
- name: Build Image On Host
auto_generated_guid:
description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: |
which docker
get_prereq_command: |
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
- description: Verify docker service is running.
prereq_command: |
sudo systemctl status docker --no-pager
get_prereq_command: |
sudo systemctl start docker
executor:
command: |-
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
docker run --name t1612_container -d -t t1612
docker exec t1612_container ./test.sh
cleanup_command: |-
docker stop t1612_container
docker rmi -f t1612
name: sh
9 changes: 9 additions & 0 deletions atomics/T1612/src/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM ubuntu:20.04
WORKDIR /
LABEL key="CyberSecurity_project"
RUN echo "CyberSecurity_project"
RUN apt update && apt install -y git
COPY test.sh /test.sh
RUN chmod +x /test.sh
ENTRYPOINT ["tail", "-f", "/dev/null"]

4 changes: 4 additions & 0 deletions atomics/T1612/src/test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/usr/bin/bash

echo "You have been hacked"

0 comments on commit 15384a3

Please sign in to comment.