T1612 Build Image on Host Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 1d;
let TempPaths = dynamic(["/tmp/", "/dev/shm/", "/var/tmp/", "/run/user/", "\\Temp\\", "\\AppData\\Local\\Temp\\"]);
let SuspiciousParents = dynamic(["bash", "sh", "zsh", "python", "python3", "perl", "ruby", "curl", "wget"]);
// Detect suspicious docker build executions
let DockerBuilds = DeviceProcessEvents
| where TimeGenerated > ago(TimeWindow)
| where (FileName =~ "docker" or FileName =~ "docker.exe")
    and ProcessCommandLine has_any ("build", "image build")
| extend BuildFromTemp = ProcessCommandLine has_any (TempPaths)
| extend BuildNoCache = ProcessCommandLine has "--no-cache"
| extend BuildExternalFile = ProcessCommandLine matches regex @"-f\s+https?://"
| extend SuspiciousParentProc = InitiatingProcessFileName has_any (SuspiciousParents)
| extend RiskScore = toint(BuildFromTemp) * 3
    + toint(BuildNoCache) * 1
    + toint(BuildExternalFile) * 4
    + toint(SuspiciousParentProc) * 2
| where RiskScore >= 2
| project TimeGenerated, DeviceName, AccountName, AccountDomain,
          ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName,
          BuildFromTemp, BuildNoCache, BuildExternalFile, SuspiciousParentProc, RiskScore;
// Detect Dockerfile written to suspicious locations
let SuspiciousDockerfiles = DeviceFileEvents
| where TimeGenerated > ago(TimeWindow)
| where (FileName =~ "Dockerfile" or FileName endswith ".dockerfile" or FileName endswith ".Dockerfile")
    and FolderPath has_any (TempPaths)
| extend RiskScore = 3
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessCommandLine, RiskScore;
// Detect docker daemon making external connections during potential build phase
let DockerNetworkBuild = DeviceNetworkEvents
| where TimeGenerated > ago(TimeWindow)
| where InitiatingProcessFileName =~ "dockerd"
    and RemotePort in (80, 443, 8080, 8443)
    and not(ipv4_is_private(RemoteIP))
    and not(RemoteUrl has_any ("docker.io", "hub.docker.com", "registry-1.docker.io",
                               "production.cloudflare.docker.com", "auth.docker.io",
                               "registry.k8s.io", "gcr.io", "mcr.microsoft.com",
                               "quay.io", "ghcr.io"))
| extend RiskScore = 2
| project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, RemotePort,
          InitiatingProcessCommandLine, RiskScore;
// Union all findings
DockerBuilds
| project TimeGenerated, DeviceName, AccountName, Description = "Suspicious docker build execution",
          Detail = ProcessCommandLine, RiskScore
| union (
    SuspiciousDockerfiles
    | project TimeGenerated, DeviceName, AccountName, Description = "Dockerfile written to temp path",
              Detail = strcat(FolderPath, FileName), RiskScore
)
| union (
    DockerNetworkBuild
    | project TimeGenerated, DeviceName, AccountName = "", Description = "Docker daemon external connection during build",
              Detail = strcat(RemoteIP, " (", RemoteUrl, "):", tostring(RemotePort)), RiskScore
)
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

Splunk

spl

index=* (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval is_docker_build=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1,
        if(match(CommandLine, "(?i)docker\s+(image\s+)?build"), 1, 0),
    sourcetype="auditd",
        if(match(msg, "docker.*(image\s+)?build") OR match(comm, "^docker$") AND match(msg, "build"), 1, 0),
    match(_raw, "docker\s+(image\s+)?build"), 1,
    true(), 0)
| where is_docker_build=1
| eval CommandLine=coalesce(CommandLine, msg, _raw)
| eval risk_score=0
| eval from_temp=if(match(CommandLine, "(?i)(/tmp/|/dev/shm/|/var/tmp/|/run/user/)"), 1, 0)
| eval risk_score=risk_score + (from_temp * 3)
| eval no_cache=if(match(CommandLine, "--no-cache"), 1, 0)
| eval risk_score=risk_score + (no_cache * 1)
| eval external_file=if(match(CommandLine, "-f\s+https?://"), 1, 0)
| eval risk_score=risk_score + (external_file * 4)
| eval suspicious_parent=if(match(ParentCommandLine, "(?i)(bash|sh|zsh|python|python3|perl|curl|wget)"), 1, 0)
| eval risk_score=risk_score + (suspicious_parent * 2)
| where risk_score >= 2
| eval alert_detail=case(
    external_file=1, "CRITICAL: Dockerfile sourced from external URL",
    from_temp=1 AND suspicious_parent=1, "HIGH: Build from temp path launched by shell/script",
    from_temp=1, "MEDIUM: Dockerfile in temporary directory",
    no_cache=1 AND suspicious_parent=1, "MEDIUM: No-cache build from suspicious parent",
    true(), "LOW: Suspicious docker build pattern")
| table _time, host, user, CommandLine, ParentCommandLine, from_temp, no_cache, external_file, suspicious_parent, risk_score, alert_detail
| sort -risk_score, -_time

high severity medium confidence

Data Sources

Linux Auditd Syslog Sysmon (Windows)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational auditd syslog linux_secure

False Positives

Automated CI/CD build agents executing docker build as part of legitimate software delivery pipelines, often with --no-cache for clean builds
Container hardening scripts that build minimal base images locally rather than pulling from external registries as a security measure
Developer sandbox environments where images are built from Dockerfiles staged in /tmp during rapid prototyping or testing workflows

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow

Build Image on Host

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections