T1053.007

Container Orchestration Job

Execution Persistence Privilege Escalation

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.

Microsoft Sentinel / Defender

kusto

// Detect suspicious Kubernetes CronJob/Job creation via Kubernetes audit logs ingested into Sentinel
// Requires AzureDiagnostics or AKS audit log ingestion via Diagnostic Settings
let SuspiciousImages = dynamic([
  "alpine", "busybox", "ubuntu", "debian", "kali",
  "python", "perl", "ruby", "php",
  "ncat", "netcat", "nmap", "masscan",
  "curl", "wget"
]);
let SuspiciousCommands = dynamic([
  "curl", "wget", "bash -i", "/dev/tcp", "nc ", "ncat",
  "python -c", "perl -e", "ruby -e",
  "chmod +x", "base64 -d", "eval",
  "/bin/sh -c", "/bin/bash -c",
  "mkfifo", "socat"
]);
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "kube-audit" or Category == "kube-audit-admin"
| extend AuditLog = parse_json(log_s)
| extend
    Verb = tostring(AuditLog.verb),
    Resource = tostring(AuditLog.objectRef.resource),
    Namespace = tostring(AuditLog.objectRef.namespace),
    Name = tostring(AuditLog.objectRef.name),
    User = tostring(AuditLog.user.username),
    UserAgent = tostring(AuditLog.userAgent),
    SourceIP = tostring(AuditLog.sourceIPs[0]),
    RequestBody = tostring(AuditLog.requestObject)
| where Resource in~ ("cronjobs", "jobs")
| where Verb in~ ("create", "update", "patch")
| extend IsSuspiciousImage = RequestBody has_any (SuspiciousImages)
| extend IsSuspiciousCommand = RequestBody has_any (SuspiciousCommands)
| extend IsHostPathMount = RequestBody has "hostPath"
| extend IsPrivileged = RequestBody has "privileged"
| extend IsHostNetwork = RequestBody has "hostNetwork"
| extend IsSensitiveMount = RequestBody has_any ("/etc", "/var/run/docker.sock", "/proc", "/sys")
| extend IsServiceAccountToken = RequestBody has "automountServiceAccountToken"
| extend SuspicionScore = toint(IsSuspiciousImage) + toint(IsSuspiciousCommand) + toint(IsHostPathMount) + toint(IsPrivileged) + toint(IsHostNetwork) + toint(IsSensitiveMount)
| where SuspicionScore > 0
| project
    TimeGenerated, Resource, Verb, Namespace, Name,
    User, UserAgent, SourceIP,
    IsSuspiciousImage, IsSuspiciousCommand, IsHostPathMount,
    IsPrivileged, IsHostNetwork, IsSensitiveMount,
    IsServiceAccountToken, SuspicionScore,
    RequestBody
| sort by SuspicionScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Kubernetes Audit Logs Azure Kubernetes Service Diagnostic Logs

Required Tables

AzureDiagnostics

False Positives

Legitimate CI/CD pipeline jobs that use base images like alpine or ubuntu for build tasks
Cluster maintenance CronJobs that use curl or wget to check service health endpoints
Log rotation or data cleanup jobs that use shell commands like /bin/sh -c
Security scanning jobs (Falco, Trivy, kube-bench) that mount host paths for vulnerability assessment
Operators and controllers that create jobs programmatically as part of normal cluster operations

Splunk

spl

index=kubernetes sourcetype="kube:audit" OR sourcetype="kube:apiserver:audit"
| spath input=_raw
| search (objectRef.resource="cronjobs" OR objectRef.resource="jobs")
  (verb="create" OR verb="update" OR verb="patch")
| eval user=spath(_raw, "user.username")
| eval namespace=spath(_raw, "objectRef.namespace")
| eval resource_name=spath(_raw, "objectRef.name")
| eval source_ip=spath(_raw, "sourceIPs{0}")
| eval user_agent=spath(_raw, "userAgent")
| eval request_body=spath(_raw, "requestObject")
| eval IsSuspiciousImage=if(match(request_body, "(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)"), 1, 0)
| eval IsSuspiciousCommand=if(match(request_body, "(curl|wget|bash\s+-i|/dev/tcp|nc\s+|ncat|python\s+-c|perl\s+-e|ruby\s+-e|chmod\s+\+x|base64\s+-d|eval|/bin/sh\s+-c|/bin/bash\s+-c|mkfifo|socat)"), 1, 0)
| eval IsHostPathMount=if(match(request_body, "hostPath"), 1, 0)
| eval IsPrivileged=if(match(request_body, "privileged"), 1, 0)
| eval IsHostNetwork=if(match(request_body, "hostNetwork"), 1, 0)
| eval IsSensitiveMount=if(match(request_body, "(/etc|/var/run/docker\.sock|/proc|/sys)"), 1, 0)
| eval SuspicionScore=IsSuspiciousImage + IsSuspiciousCommand + IsHostPathMount + IsPrivileged + IsHostNetwork + IsSensitiveMount
| where SuspicionScore > 0
| table _time, objectRef.resource, verb, namespace, resource_name, user, user_agent, source_ip, IsSuspiciousImage, IsSuspiciousCommand, IsHostPathMount, IsPrivileged, IsHostNetwork, IsSensitiveMount, SuspicionScore
| sort - SuspicionScore - _time

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Kubernetes Audit Logs Kubernetes API Server Audit

Required Sourcetypes

kube:audit kube:apiserver:audit

False Positives

Legitimate CI/CD pipeline jobs that use base images like alpine or ubuntu for build tasks
Cluster maintenance CronJobs that use curl or wget to check service health endpoints
Log rotation or data cleanup jobs that use shell commands like /bin/sh -c
Security scanning jobs (Falco, Trivy, kube-bench) that mount host paths for vulnerability assessment
Operators and controllers that create jobs programmatically as part of normal cluster operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS actor,
  sourceip AS source_ip,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  "objectRef_resource" AS k8s_resource,
  "objectRef_namespace" AS k8s_namespace,
  "objectRef_name" AS resource_name,
  "verb" AS k8s_verb,
  "userAgent" AS user_agent,
  payload AS raw_log,
  (CASE WHEN payload ILIKE '%alpine%' OR payload ILIKE '%busybox%' OR payload ILIKE '%kali%' OR payload ILIKE '%netcat%' OR payload ILIKE '%nmap%' OR payload ILIKE '%masscan%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%mkfifo%' OR payload ILIKE '%socat%' OR payload ILIKE '%base64 -d%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%hostPath%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%"privileged":true%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%"hostNetwork":true%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%/var/run/docker.sock%' OR payload ILIKE '%"/proc%' OR payload ILIKE '%"/sys%' THEN 1 ELSE 0 END) AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%kubernetes%'
  AND (
    "objectRef_resource" IN ('cronjobs', 'jobs')
    OR payload ILIKE '%"resource":"cronjobs"%'
    OR payload ILIKE '%"resource":"jobs"%'
  )
  AND (
    "verb" IN ('create', 'update', 'patch')
    OR payload ILIKE '%"verb":"create"%'
    OR payload ILIKE '%"verb":"update"%'
    OR payload ILIKE '%"verb":"patch"%'
  )
  AND (
    payload ILIKE '%alpine%' OR payload ILIKE '%busybox%' OR payload ILIKE '%kali%'
    OR payload ILIKE '%netcat%' OR payload ILIKE '%nmap%' OR payload ILIKE '%ncat%'
    OR payload ILIKE '%hostPath%' OR payload ILIKE '%"privileged":true%'
    OR payload ILIKE '%"hostNetwork":true%' OR payload ILIKE '%/dev/tcp%'
    OR payload ILIKE '%mkfifo%' OR payload ILIKE '%socat%'
    OR payload ILIKE '%/var/run/docker.sock%' OR payload ILIKE '%base64 -d%'
  )
  AND starttime > NOW() - 86400000
ORDER BY suspicion_score DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar Kubernetes DSM log source QRadar Universal DSM with Kubernetes API server audit log ingestion

Required Tables

events

False Positives

Authorized security scanning or pen-test CronJobs deploying nmap, netcat, or masscan containers in designated test namespaces
DevOps tooling that routinely deploys alpine or ubuntu utility pods for ephemeral maintenance and configuration jobs
Node-level monitoring CronJobs that mount hostPath volumes for log collection or disk metrics aggregation

Sumo Logic CSE

sql

_sourceCategory=kubernetes/audit
| json field=_raw "verb" as verb nodrop
| json field=_raw "objectRef.resource" as resource nodrop
| json field=_raw "objectRef.namespace" as namespace nodrop
| json field=_raw "objectRef.name" as resource_name nodrop
| json field=_raw "user.username" as actor nodrop
| json field=_raw "userAgent" as user_agent nodrop
| json field=_raw "sourceIPs[0]" as source_ip nodrop
| json field=_raw "requestObject" as request_body nodrop
| where resource in ("cronjobs", "jobs")
| where verb in ("create", "update", "patch")
| eval IsSuspiciousImage = if(matches(request_body, "(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)"), 1, 0)
| eval IsSuspiciousCmd = if(matches(request_body, "(?i)(bash -i|/dev/tcp|mkfifo|socat|base64 -d|ncat|chmod \\+x)"), 1, 0)
| eval IsHostPath = if(matches(request_body, "hostPath"), 1, 0)
| eval IsPrivileged = if(matches(request_body, "privileged.*true"), 1, 0)
| eval IsHostNetwork = if(matches(request_body, "hostNetwork.*true"), 1, 0)
| eval IsSensitiveMount = if(matches(request_body, "(/var/run/docker.sock|/proc|/sys)"), 1, 0)
| eval SuspicionScore = IsSuspiciousImage + IsSuspiciousCmd + IsHostPath + IsPrivileged + IsHostNetwork + IsSensitiveMount
| where SuspicionScore > 0
| fields _messagetime, resource, verb, namespace, resource_name, actor, user_agent, source_ip, IsSuspiciousImage, IsSuspiciousCmd, IsHostPath, IsPrivileged, IsHostNetwork, IsSensitiveMount, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic Kubernetes Collection (Helm chart) Sumo Logic HTTP Source for Kubernetes audit log forwarding

Required Tables

kubernetes/audit _sourceCategory (configurable per collection setup)

False Positives

Legitimate Python or Ruby container-based data pipeline CronJobs scheduled by analytics or ML teams
Security team authorized CronJobs running kali or nmap containers for scheduled vulnerability scans in isolated test namespaces
Infrastructure automation jobs using hostPath mounts for node-level log agent deployment or disk usage monitoring

Google Chronicle / SecOps

yaral

rule kubernetes_suspicious_cronjob_job_creation {
  meta:
    author = "df00tech"
    description = "Detects suspicious Kubernetes CronJob or Job creation that may indicate adversary persistence or code execution via container orchestration abuse (T1053.007)"
    mitre_attack_tactic = "Persistence, Execution"
    mitre_attack_technique = "T1053.007"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "GCP / GKE"
    reference = "https://attack.mitre.org/techniques/T1053/007/"

  events:
    ($e.metadata.log_type = "GKE_CONTROLPLANE" or
     $e.metadata.log_type = "K8S_AUDIT")
    ($e.network.http.method = "POST" or
     $e.network.http.method = "PUT" or
     $e.network.http.method = "PATCH")
    re.regex($e.target.url, `/(cronjobs|jobs)(/|$)`)
    (
      re.regex($e.target.resource.attribute.labels["image"], `(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)`) or
      re.regex($e.target.resource.attribute.labels["command"], `(?i)(bash -i|/dev/tcp|mkfifo|socat|base64 -d|chmod \+x)`) or
      $e.target.resource.attribute.labels["host_path"] = "true" or
      $e.target.resource.attribute.labels["privileged"] = "true" or
      $e.target.resource.attribute.labels["host_network"] = "true" or
      re.regex($e.target.resource.attribute.labels["mount_path"], `/var/run/docker\.sock|/proc|/sys`)
    )
    not $e.principal.user.userid = /^system:(serviceaccount:kube-system|node:|component:)/

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Cloud GKE Control Plane audit logs via Cloud Logging sink to Chronicle Kubernetes API server audit logs with Chronicle HTTPS ingestion API Google Security Operations GKE log type: GKE_CONTROLPLANE

Required Tables

GKE_CONTROLPLANE UDM log type K8S_AUDIT UDM log type

False Positives

Automated CI/CD GitOps controllers (ArgoCD, Flux) creating Job or CronJob resources using lightweight images in production namespaces
Authorized red team exercises scheduling offensive tooling containers in dedicated assessment clusters
Cluster-level backup CronJobs using privileged containers or hostPath mounts for node-consistent snapshot operations

CrowdStrike LogScale (CQL)

cql

// Requires Falcon for Containers with Kubernetes Admission Controller (KAC) or K8s audit log ingestion into LogScale
(#event_simpleName = /K8sAdmissionReview|K8sCronJobCreated|K8sJobCreated/i)
OR (ResourceType = /^(cronjobs|jobs)$/i AND Verb = /^(create|update|patch)$/i)
| IsSuspiciousImage := if(
    ImageName = /(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)/,
    then=1, else=0)
| IsSuspiciousCmd := if(
    CommandLine = /(?i)(bash -i|\/dev\/tcp|mkfifo|socat|base64 -d|ncat|chmod \+x)/
    OR ContainerArgs = /(?i)(bash -i|\/dev\/tcp|mkfifo|socat|base64 -d)/,
    then=1, else=0)
| IsHostPath := if(VolumeType = "hostPath" OR HostPathMount = "true", then=1, else=0)
| IsPrivileged := if(Privileged = "true" OR PrivilegedContainer = "true", then=1, else=0)
| IsHostNetwork := if(HostNetwork = "true", then=1, else=0)
| IsSensitiveMount := if(
    MountPath = /(\/var\/run\/docker\.sock|\/proc|\/sys|\/etc)/,
    then=1, else=0)
| SuspicionScore := IsSuspiciousImage + IsSuspiciousCmd + IsHostPath + IsPrivileged + IsHostNetwork + IsSensitiveMount
| SuspicionScore > 0
| select([_timestamp, ComputerName, UserName, Namespace, ResourceName, ResourceType, ImageName, CommandLine, Verb, IsPrivileged, IsHostNetwork, IsHostPath, IsSuspiciousImage, IsSuspiciousCmd, IsSensitiveMount, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon for Containers — Kubernetes Admission Controller (KAC) telemetry Falcon LogScale K8s audit log ingestion connector Falcon Horizon cloud security posture events for container workloads

Required Tables

Falcon event types: K8sAdmissionReview, K8sCronJobCreated, K8sJobCreated; fields: ImageName, CommandLine, ContainerArgs, VolumeType, HostPathMount, Privileged, PrivilegedContainer, HostNetwork, MountPath, Namespace, ResourceName, ResourceType, Verb

False Positives

Legitimate workload deployments by development teams using alpine or ubuntu base images in approved application namespaces
Authorized penetration testing exercises scheduling offensive tooling containers in isolated lab or staging clusters
Node-level observability agents (Prometheus node exporter, Falco, Datadog) deployed as privileged DaemonSet jobs requiring hostPath mounts and host network access

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Container Orchestration Job

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections