Detect Container Orchestration Job in Google Chronicle
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.007 Container Orchestration Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/007/
YARA-L Detection Query
rule kubernetes_suspicious_cronjob_job_creation {
meta:
author = "df00tech"
description = "Detects suspicious Kubernetes CronJob or Job creation that may indicate adversary persistence or code execution via container orchestration abuse (T1053.007)"
mitre_attack_tactic = "Persistence, Execution"
mitre_attack_technique = "T1053.007"
severity = "HIGH"
confidence = "MEDIUM"
platform = "GCP / GKE"
reference = "https://attack.mitre.org/techniques/T1053/007/"
events:
($e.metadata.log_type = "GKE_CONTROLPLANE" or
$e.metadata.log_type = "K8S_AUDIT")
($e.network.http.method = "POST" or
$e.network.http.method = "PUT" or
$e.network.http.method = "PATCH")
re.regex($e.target.url, `/(cronjobs|jobs)(/|$)`)
(
re.regex($e.target.resource.attribute.labels["image"], `(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)`) or
re.regex($e.target.resource.attribute.labels["command"], `(?i)(bash -i|/dev/tcp|mkfifo|socat|base64 -d|chmod \+x)`) or
$e.target.resource.attribute.labels["host_path"] = "true" or
$e.target.resource.attribute.labels["privileged"] = "true" or
$e.target.resource.attribute.labels["host_network"] = "true" or
re.regex($e.target.resource.attribute.labels["mount_path"], `/var/run/docker\.sock|/proc|/sys`)
)
not $e.principal.user.userid = /^system:(serviceaccount:kube-system|node:|component:)/
condition:
$e
}Chronicle YARA-L 2.0 rule detecting suspicious Kubernetes CronJob and Job creation from GKE Control Plane or Kubernetes API server audit logs ingested into Google Security Operations. Matches on HTTP method (POST/PUT/PATCH) against the CronJob or Job API URL path, then evaluates Chronicle UDM label fields populated by the GKE parser for attacker-indicative container image names, shell commands, privileged settings, host path mounts, host network sharing, and sensitive mount paths. Excludes expected Kubernetes system service accounts and node identities to reduce false positives.
Data Sources
Required Tables
False Positives & Tuning
- Automated CI/CD GitOps controllers (ArgoCD, Flux) creating Job or CronJob resources using lightweight images in production namespaces
- Authorized red team exercises scheduling offensive tooling containers in dedicated assessment clusters
- Cluster-level backup CronJobs using privileged containers or hostPath mounts for node-consistent snapshot operations
Other platforms for T1053.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.
- Test 2Create Privileged Kubernetes Job with Host Path Mount
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.
- Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.
- Test 4Deploy Cryptomining CronJob via kubectl
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.
References (11)
- https://attack.mitre.org/techniques/T1053/007/
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://falco.org/docs/rules/
- https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
- https://docs.microsoft.com/en-us/azure/aks/monitor-aks
- https://www.cncf.io/blog/2021/12/06/cloud-native-security-whitepaper/
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/kubernetes
Unlock Pro Content
Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.