- Tactics
- Execution , Persistence , Privilege Escalation
- Platforms
- Containers
- Reference
- attack.mitre.org/techniques/T1053.007
Description
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Execution, Persistence, Privilege Escalation tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1059 — Command and Scripting Interpreter
- T1068 — Exploitation for Privilege Escalation
- T1072 — Software Deployment Tools
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1106 — Native API
- T1112 — Modify Registry
- T1127 — Trusted Developer Utilities Proxy Execution