Detect Container Orchestration Job in CrowdStrike LogScale
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.007 Container Orchestration Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/007/
LogScale Detection Query
// Requires Falcon for Containers with Kubernetes Admission Controller (KAC) or K8s audit log ingestion into LogScale
(#event_simpleName = /K8sAdmissionReview|K8sCronJobCreated|K8sJobCreated/i)
OR (ResourceType = /^(cronjobs|jobs)$/i AND Verb = /^(create|update|patch)$/i)
| IsSuspiciousImage := if(
ImageName = /(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)/,
then=1, else=0)
| IsSuspiciousCmd := if(
CommandLine = /(?i)(bash -i|\/dev\/tcp|mkfifo|socat|base64 -d|ncat|chmod \+x)/
OR ContainerArgs = /(?i)(bash -i|\/dev\/tcp|mkfifo|socat|base64 -d)/,
then=1, else=0)
| IsHostPath := if(VolumeType = "hostPath" OR HostPathMount = "true", then=1, else=0)
| IsPrivileged := if(Privileged = "true" OR PrivilegedContainer = "true", then=1, else=0)
| IsHostNetwork := if(HostNetwork = "true", then=1, else=0)
| IsSensitiveMount := if(
MountPath = /(\/var\/run\/docker\.sock|\/proc|\/sys|\/etc)/,
then=1, else=0)
| SuspicionScore := IsSuspiciousImage + IsSuspiciousCmd + IsHostPath + IsPrivileged + IsHostNetwork + IsSensitiveMount
| SuspicionScore > 0
| select([_timestamp, ComputerName, UserName, Namespace, ResourceName, ResourceType, ImageName, CommandLine, Verb, IsPrivileged, IsHostNetwork, IsHostPath, IsSuspiciousImage, IsSuspiciousCmd, IsSensitiveMount, SuspicionScore])
| sort(SuspicionScore, order=desc)CrowdStrike LogScale detection query for suspicious Kubernetes CronJob and Job creation events using Falcon for Containers telemetry from the Kubernetes Admission Controller (KAC) or ingested K8s API server audit logs. Applies a six-factor suspicion scoring model evaluating container image names, command line arguments, hostPath volume usage, privileged container flags, host network sharing, and sensitive filesystem mount paths. Events with any suspicion indicator are surfaced ranked by total score descending.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate workload deployments by development teams using alpine or ubuntu base images in approved application namespaces
- Authorized penetration testing exercises scheduling offensive tooling containers in isolated lab or staging clusters
- Node-level observability agents (Prometheus node exporter, Falco, Datadog) deployed as privileged DaemonSet jobs requiring hostPath mounts and host network access
Other platforms for T1053.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.
- Test 2Create Privileged Kubernetes Job with Host Path Mount
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.
- Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.
- Test 4Deploy Cryptomining CronJob via kubectl
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.
References (11)
- https://attack.mitre.org/techniques/T1053/007/
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://falco.org/docs/rules/
- https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
- https://docs.microsoft.com/en-us/azure/aks/monitor-aks
- https://www.cncf.io/blog/2021/12/06/cloud-native-security-whitepaper/
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/kubernetes
Unlock Pro Content
Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.