T1612 Splunk · SPL

Detect Build Image on Host in Splunk

This detection identifies adversaries building custom container images directly on a compromised host to evade registry-based defenses. Rather than pulling a pre-built malicious image — which would trigger image scanning alerts — attackers issue docker build commands referencing Dockerfiles that download malware or backdoors at build time using RUN curl/wget instructions. The detection monitors for docker build process execution with suspicious argument patterns (temporary directory Dockerfiles, no-cache flags, external URL fetches), Dockerfile creation in writable system directories, and Docker daemon network connections to unexpected destinations during image construction. Correlation across process telemetry, file events, and network activity surfaces the build-then-deploy attack chain used by groups like TeamTNT and WatchDog cryptomining campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1612 Build Image on Host
Canonical reference
https://attack.mitre.org/techniques/T1612/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval is_docker_build=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1,
        if(match(CommandLine, "(?i)docker\s+(image\s+)?build"), 1, 0),
    sourcetype="auditd",
        if(match(msg, "docker.*(image\s+)?build") OR match(comm, "^docker$") AND match(msg, "build"), 1, 0),
    match(_raw, "docker\s+(image\s+)?build"), 1,
    true(), 0)
| where is_docker_build=1
| eval CommandLine=coalesce(CommandLine, msg, _raw)
| eval risk_score=0
| eval from_temp=if(match(CommandLine, "(?i)(/tmp/|/dev/shm/|/var/tmp/|/run/user/)"), 1, 0)
| eval risk_score=risk_score + (from_temp * 3)
| eval no_cache=if(match(CommandLine, "--no-cache"), 1, 0)
| eval risk_score=risk_score + (no_cache * 1)
| eval external_file=if(match(CommandLine, "-f\s+https?://"), 1, 0)
| eval risk_score=risk_score + (external_file * 4)
| eval suspicious_parent=if(match(ParentCommandLine, "(?i)(bash|sh|zsh|python|python3|perl|curl|wget)"), 1, 0)
| eval risk_score=risk_score + (suspicious_parent * 2)
| where risk_score >= 2
| eval alert_detail=case(
    external_file=1, "CRITICAL: Dockerfile sourced from external URL",
    from_temp=1 AND suspicious_parent=1, "HIGH: Build from temp path launched by shell/script",
    from_temp=1, "MEDIUM: Dockerfile in temporary directory",
    no_cache=1 AND suspicious_parent=1, "MEDIUM: No-cache build from suspicious parent",
    true(), "LOW: Suspicious docker build pattern")
| table _time, host, user, CommandLine, ParentCommandLine, from_temp, no_cache, external_file, suspicious_parent, risk_score, alert_detail
| sort -risk_score, -_time
high severity medium confidence

Detects suspicious docker build command execution across Linux (auditd, syslog) and Windows (Sysmon EventCode 1) environments. Applies risk scoring to identify Dockerfiles loaded from temp directories, builds launched by shells or scripting interpreters, use of --no-cache flags, and Dockerfiles fetched directly from external URLs. Results are sorted by risk score to surface highest-priority alerts first.

Data Sources

Linux AuditdSyslogSysmon (Windows)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalauditdsysloglinux_secure

False Positives & Tuning

  • Automated CI/CD build agents executing docker build as part of legitimate software delivery pipelines, often with --no-cache for clean builds
  • Container hardening scripts that build minimal base images locally rather than pulling from external registries as a security measure
  • Developer sandbox environments where images are built from Dockerfiles staged in /tmp during rapid prototyping or testing workflows
Download portable Sigma rule (.yml)

Other platforms for T1612

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Build Custom Image with Embedded Payload Simulation

    Expected signal: DeviceProcessEvents: FileName=docker, ProcessCommandLine contains 'build --no-cache -t atomictest_t1612' and '/tmp/atomictest_t1612/Dockerfile'. DeviceNetworkEvents: dockerd process making connection to example.com:443 during RUN curl step.

  2. Test 2Docker API Remote Build Request Simulation

    Expected signal: Auditd: access to /var/run/docker.sock by curl process. Docker daemon logs (journalctl -u docker): POST /v1.43/build request logged. DeviceProcessEvents may not show docker CLI — hunting via socket access rules is required for API-based builds.

  3. Test 3Build Privileged Escape-Ready Container Image

    Expected signal: DeviceProcessEvents: docker run with ProcessCommandLine containing '-v /var/run/docker.sock:/var/run/docker.sock'. Sysmon EventCode 11: file access to /var/run/docker.sock from container process namespace.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1612 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1610Deploy ContainerT1609Container Administration CommandT1611Escape to HostT1578.004Revert Cloud InstanceT1204.003Malicious ImageT1105Ingress Tool TransferT1496Resource Hijacking

Same Tactic: Defense Evasion

Popular Detections