Skip to content

Commit

Permalink
Merge pull request #1 from well123cs/t1612-1
Browse files Browse the repository at this point in the history
T1612
well123cs authored Mar 18, 2023
2 parents c967af1 + 1ca680d commit 15384a3
Showing 3 changed files with 43 additions and 0 deletions.
30 changes: 30 additions & 0 deletions atomics/T1612/T1612.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
attack_technique: T1612
display_name: "Build Image on Host"
atomic_tests:
- name: Build Image On Host
auto_generated_guid:
description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: |
which docker
get_prereq_command: |
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
- description: Verify docker service is running.
prereq_command: |
sudo systemctl status docker --no-pager
get_prereq_command: |
sudo systemctl start docker
executor:
command: |-
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
docker run --name t1612_container -d -t t1612
docker exec t1612_container ./test.sh
cleanup_command: |-
docker stop t1612_container
docker rmi -f t1612
name: sh
9 changes: 9 additions & 0 deletions atomics/T1612/src/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM ubuntu:20.04
WORKDIR /
LABEL key="CyberSecurity_project"
RUN echo "CyberSecurity_project"
RUN apt update && apt install -y git
COPY test.sh /test.sh
RUN chmod +x /test.sh
ENTRYPOINT ["tail", "-f", "/dev/null"]

4 changes: 4 additions & 0 deletions atomics/T1612/src/test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/usr/bin/bash

echo "You have been hacked"

0 comments on commit 15384a3

Please sign in to comment.