T1612 Google Chronicle · YARA-L

Detect Build Image on Host in Google Chronicle

This detection identifies adversaries building custom container images directly on a compromised host to evade registry-based defenses. Rather than pulling a pre-built malicious image — which would trigger image scanning alerts — attackers issue docker build commands referencing Dockerfiles that download malware or backdoors at build time using RUN curl/wget instructions. The detection monitors for docker build process execution with suspicious argument patterns (temporary directory Dockerfiles, no-cache flags, external URL fetches), Dockerfile creation in writable system directories, and Docker daemon network connections to unexpected destinations during image construction. Correlation across process telemetry, file events, and network activity surfaces the build-then-deploy attack chain used by groups like TeamTNT and WatchDog cryptomining campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1612 Build Image on Host
Canonical reference
https://attack.mitre.org/techniques/T1612/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}
high severity medium confidence

Google Chronicle YARA-L 2.0 rule for T1612 detection using UDM event types and field matching. Detects suspicious container image builds on the host by monitoring docker build process executions

Data Sources

Endpoint TelemetryKubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build images on the host using --no-cache for reproducibility
  • Developer workstations with Docker Desktop where developers routinely build images from ~/Downloads or temp directories during testing
  • Container security scanning tools (Trivy, Grype, Snyk) that build test images from temporary Dockerfiles to verify vulnerability detection coverage
  • Infrastructure-as-code tools like Packer or Terraform using Docker builder that create Dockerfiles in temp locations as part of their workflow
Download portable Sigma rule (.yml)

Other platforms for T1612

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Build Custom Image with Embedded Payload Simulation

    Expected signal: DeviceProcessEvents: FileName=docker, ProcessCommandLine contains 'build --no-cache -t atomictest_t1612' and '/tmp/atomictest_t1612/Dockerfile'. DeviceNetworkEvents: dockerd process making connection to example.com:443 during RUN curl step.

  2. Test 2Docker API Remote Build Request Simulation

    Expected signal: Auditd: access to /var/run/docker.sock by curl process. Docker daemon logs (journalctl -u docker): POST /v1.43/build request logged. DeviceProcessEvents may not show docker CLI — hunting via socket access rules is required for API-based builds.

  3. Test 3Build Privileged Escape-Ready Container Image

    Expected signal: DeviceProcessEvents: docker run with ProcessCommandLine containing '-v /var/run/docker.sock:/var/run/docker.sock'. Sysmon EventCode 11: file access to /var/run/docker.sock from container process namespace.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1612 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1610Deploy ContainerT1609Container Administration CommandT1611Escape to HostT1578.004Revert Cloud InstanceT1204.003Malicious ImageT1105Ingress Tool TransferT1496Resource Hijacking

Same Tactic: Defense Evasion

Popular Detections