DC0015 Image Creation
| Item | Value |
|---|---|
| ID | DC0015 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | RegisterImage |
| containerd:events | Image pull from untrusted registry (name NOT IN allowlist) or new digest never seen before |
| docker:daemon | docker build or docker commit commands followed by docker push to internal registry |
| docker:daemon | docker build or POST /build API request |
| kubernetes:apiserver | Pod spec triggering build or custom controller activity invoking image builds |
| kubernetes:audit | create |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0459 | Detection Strategy for Build Image on Host | T1612 |
| DET0334 | Detection Strategy for T1525 – Implant Internal Image | T1525 |
| DET0248 | User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) | T1204.003 |