Skip to content

DET0459 Detection Strategy for Build Image on Host

Item Value
ID DET0459
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1612 (Build Image on Host)

Analytics

Containers

AN1261

Detection of container image build activity directly on the host using Docker or Kubernetes APIs. Defenders may observe Docker build requests, anomalous Dockerfile instructions (such as downloading code from unknown IPs), or creation of new images followed by immediate deployment. This behavior chain typically consists of an unexpected image creation event correlated with outbound network communication to non-standard or untrusted destinations.

Log Sources
Data Component Name Channel
Image Creation (DC0015) docker:daemon docker build or POST /build API request
Network Connection Creation (DC0082) NSM:Flow outbound connections from host during or immediately after image build
Mutable Elements
Field Description
RegistryAllowList Defines trusted registries for image pulls/builds. Builds referencing unapproved registries may indicate adversary behavior.
NewImageThreshold Threshold for number of new custom images created in a given time window. Exceeding this threshold may indicate malicious builds.
TimeWindow Defines correlation window (e.g., 5m) between suspicious build activity and subsequent network traffic anomalies.