Scheduled Task/Job: Container Orchestration Job

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.[1][2] An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.[3]

ID: T1053.007
Sub-technique of:  T1053
Platforms: Containers
Permissions Required: User
Supports Remote:  Yes
Contributors: Center for Threat-Informed Defense (CTID); Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 1.2
Created: 29 March 2021
Last Modified: 01 April 2022

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.[4]

M1018 User Account Management

Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.

Detection

ID Data Source Data Component
DS0032 Container Container Creation
DS0022 File File Creation
DS0003 Scheduled Job Scheduled Job Creation

Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments.

References