216.73.217.50

T1612: Build Image on Host

View on MITRE ATT&CK The MITRE Corporation · Published 30/03/2021 19:54 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1612
Confidence
100/100
Revoked
No
Published
30/03/2021 19:54
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Aliases

T1612

Platforms

Containers

Description

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote `build` request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image) An adversary may take advantage of that `build` API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references