Technique on mitre.org

T1053.007: Container Orchestration Job

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of process-start events which contain 'kubectl get jobs', 'kubectl create job --from=', 'kubectl apply -f', or 'kubectl create -f' in their command line.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0032	Data source and component	Container: Container Creation	Description	Monitor for newly constructed containers

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Creation	Description	Monitor for the anomalous creation of scheduled jobs in container orchestration environments.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments.

ID	Data source and component	Description
DS0032	Container: Container Creation	Monitor for newly constructed containers
DS0003	Scheduled Job: Scheduled Job Creation	Monitor for the anomalous creation of scheduled jobs in container orchestration environments.
DS0022	File: File Creation	Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.

ID	M1026	Name	Privileged Account Management	Description	Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.

ID	Name	Description
M1018	User Account Management	Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.
M1026	Privileged Account Management	Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.