T1053.007 Container Orchestration Job
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.21 An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.3
Item | Value |
---|---|
ID | T1053.007 |
Sub-techniques | T1053.002, T1053.003, T1053.005, T1053.006, T1053.007 |
Tactics | TA0002, TA0003, TA0004 |
Platforms | Containers |
Permissions required | User |
Version | 1.3 |
Created | 29 March 2021 |
Last Modified | 15 April 2023 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1026 | Privileged Account Management | Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.4 |
M1018 | User Account Management | Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0032 | Container | Container Creation |
DS0022 | File | File Creation |
DS0003 | Scheduled Job | Scheduled Job Creation |
References
-
The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021. ↩
-
The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021. ↩
-
Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021. ↩
-
National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. ↩