T1053.007: Container Orchestration Job
| View on MITRE ATT&CK | T1053.007 |
|---|---|
| Tactic(s) | Privilege Escalation, Persistence, Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Scheduled Job Creation (Scheduled Job)
Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)Container Creation (Container)
Initial construction of a new container (ex: docker create <container_name>)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.