Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.007 | Container Orchestration Job |
| AC-3 | Access Enforcement | Protects | T1053.007 | Container Orchestration Job |
| AC-5 | Separation of Duties | Protects | T1053.007 | Container Orchestration Job |
| AC-6 | Least Privilege | Protects | T1053.007 | Container Orchestration Job |
| CM-5 | Access Restrictions for Change | Protects | T1053.007 | Container Orchestration Job |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.007 | Container Orchestration Job |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1053.007 | Container Orchestration Job |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1053.007 | Scheduled Task/Job: Container Orchestration Job |
| aws_config | AWS Config | technique_scores | T1053.007 | Container Orchestration Job |