Detect Container Orchestration Job in Elastic Security
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.007 Container Orchestration Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/007/
Elastic Detection Query
any where event.dataset == "kubernetes.audit"
and kubernetes.audit.objectRef.resource in~ ("cronjobs", "jobs")
and kubernetes.audit.verb in~ ("create", "update", "patch")
and (
message regex~ "(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan|curl|wget)"
or message regex~ "(?i)(bash -i|/dev/tcp|mkfifo|socat|base64 -d|chmod \\+x)"
or message like~ "*hostPath*"
or message regex~ "privileged.*true"
or message regex~ "hostNetwork.*true"
or message regex~ "/var/run/docker\\.sock|/proc|/sys"
)Detects suspicious Kubernetes CronJob and Job creation or modification events using the Elastic Kubernetes audit log integration. Applies regex and wildcard matching against the raw audit log message to flag attacker-favored container images, shell escape commands, privileged container configurations, host path mounts, host networking, and sensitive filesystem volume mounts. Returns all events with at least one suspicion indicator.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate CI/CD pipeline jobs deploying alpine or ubuntu base images for build, test, or release automation tasks
- Authorized security scanning CronJobs that use nmap, netcat, or masscan for scheduled internal network audits in non-production namespaces
- Infrastructure-level DaemonSet maintenance jobs requiring hostPath volume mounts for log forwarding agents such as Fluentd or Promtail
Other platforms for T1053.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.
- Test 2Create Privileged Kubernetes Job with Host Path Mount
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.
- Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.
- Test 4Deploy Cryptomining CronJob via kubectl
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.
References (11)
- https://attack.mitre.org/techniques/T1053/007/
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://falco.org/docs/rules/
- https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
- https://docs.microsoft.com/en-us/azure/aks/monitor-aks
- https://www.cncf.io/blog/2021/12/06/cloud-native-security-whitepaper/
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/kubernetes
Unlock Pro Content
Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.