T1053.007 Container Orchestration Job Mappings

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in the cluster.(Citation: Threat Matrix for Kubernetes)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1053.007 Container Orchestration Job
AC-3 Access Enforcement Protects T1053.007 Container Orchestration Job
AC-5 Separation of Duties Protects T1053.007 Container Orchestration Job
AC-6 Least Privilege Protects T1053.007 Container Orchestration Job
CM-5 Access Restrictions for Change Protects T1053.007 Container Orchestration Job
IA-2 Identification and Authentication (organizational Users) Protects T1053.007 Container Orchestration Job
IA-8 Identification and Authentication (non-organizational Users) Protects T1053.007 Container Orchestration Job
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.007 Scheduled Task/Job: Container Orchestration Job
aws_config AWS Config technique_scores T1053.007 Container Orchestration Job
Comments
The "eks-endpoint-no-public-access" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.
References