T1053.007 Container Orchestration Job

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1053.007 Container Orchestration Job
Comments
This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication.
References
    DE.CM-03.03 Privileged account monitoring Mitigates T1053.007 Container Orchestration Job
    Comments
    This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
    References
      PR.AA-01.01 Identity and credential management Mitigates T1053.007 Container Orchestration Job
      Comments
      This diagnostic statement protects against Container Orchestration Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CM-05 Access Restrictions for Change mitigates T1053.007 Container Orchestration Job
        IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1053.007 Container Orchestration Job
        IA-02 Identification and Authentication (Organizational Users) mitigates T1053.007 Container Orchestration Job
        AC-02 Account Management mitigates T1053.007 Container Orchestration Job
        AC-03 Access Enforcement mitigates T1053.007 Container Orchestration Job
        AC-05 Separation of Duties mitigates T1053.007 Container Orchestration Job
        AC-06 Least Privilege mitigates T1053.007 Container Orchestration Job

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1053.007 Container Orchestration Job

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        alerts_for_windows_machines Alerts for Windows Machines technique_scores T1053.007 Container Orchestration Job
        defender_for_containers Microsoft Defender for Containers technique_scores T1053.007 Container Orchestration Job
        Comments
        This control can detect when containers are created.
        References

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        binary_authorization Binary Authorization technique_scores T1053.007 Container Orchestration Job
        Comments
        Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
        References
        google_kubernetes_engine Google Kubernetes Engine technique_scores T1053.007 Container Orchestration Job
        Comments
        GKE provides the ability to audit against a set of recommended benchmark [Center for Internet Security (CIS)]. This control may avoid privileged containers and running containers as root.
        References

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        aws_config AWS Config technique_scores T1053.007 Container Orchestration Job
        Comments
        The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
        References