| ID | Name |
|---|---|
| T1053.002 | At |
| T1053.003 | Cron |
| T1053.005 | Scheduled Task |
| T1053.006 | Systemd Timers |
| T1053.007 | Container Orchestration Job |
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.[1][2] An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.[3]
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.[4] |
| M1018 | User Account Management |
Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0032 | Container | Container Creation |
Monitor for container creation events within Kubernetes clusters. This helps track when new containers are being deployed, especially by jobs that could have been scheduled by adversaries. Analytic 1 - Look for new container creation events with unusual parameters.
|
| DS0022 | File | File Creation |
Monitor for newly constructed files by using the logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. Note: This query monitors for .yaml configuration files that are used to define jobs and container behaviors within Kubernetes. Changes or creations of these files should be closely watched. Analytic 1 - Look for new file creation events with unusual parameters.
|
| DS0003 | Scheduled Job | Scheduled Job Creation |
Monitor for Kubernetes CronJob or Job creation using Kubernetes API or CLI commands. Note: This query tracks job creation using kubectl commands or Kubernetes API calls to create or apply CronJobs. It filters out legitimate job creation based on a baseline and identifies unusual CronJob creation or usage. Analytic 1 - Look for new container job creation events with unusual parameters.
Note: This query monitors Kubernetes events for job creation, start, and completion. These events are useful for tracking the actual execution of scheduled tasks in the cluster.Analytic 2 - Monitoring Kubernetes Events for Job Execution
|