DET0206 Detection of Malicious Kubernetes CronJob Scheduling

Item	Value
ID	DET0206
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1053.007 (Container Orchestration Job)

Analytics

Containers

AN0582

Detects abuse of container orchestration platforms (e.g., Kubernetes) where adversaries create CronJobs to maintain persistence or execute malicious Jobs across the cluster.

Log Sources

Data Component	Name	Channel
Scheduled Job Creation (DC0001)	kubernetes:apiserver	verb=create, resource=cronjobs, group=batch
Container Creation (DC0072)	kubernetes:events	container start/stop activity via Docker, containerd, or CRI-O
Network Traffic Content (DC0085)	container:proxy	outbound/inbound network activity from spawned pods

Mutable Elements

Field	Description
NamespaceScope	Kubernetes namespace the job is deployed to—scoping this to known trusted namespaces may reduce noise.
ImageRepository	The container image registry or repository the job pulls from—can be filtered by trusted registries.
ScheduleWindow	Time window or frequency of CronJob execution (e.g., ‘@hourly’)—jobs running at odd hours may be suspicious.
ExecutionCommand	The command or entrypoint executed by the Job—unexpected shell commands or interpreters may warrant inspection.