T1053.007 IBM QRadar · QRadar

Detect Container Orchestration Job in IBM QRadar

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.007 Container Orchestration Job
Canonical reference
https://attack.mitre.org/techniques/T1053/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username AS actor,
  sourceip AS source_ip,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  "objectRef_resource" AS k8s_resource,
  "objectRef_namespace" AS k8s_namespace,
  "objectRef_name" AS resource_name,
  "verb" AS k8s_verb,
  "userAgent" AS user_agent,
  payload AS raw_log,
  (CASE WHEN payload ILIKE '%alpine%' OR payload ILIKE '%busybox%' OR payload ILIKE '%kali%' OR payload ILIKE '%netcat%' OR payload ILIKE '%nmap%' OR payload ILIKE '%masscan%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%mkfifo%' OR payload ILIKE '%socat%' OR payload ILIKE '%base64 -d%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%hostPath%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%"privileged":true%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%"hostNetwork":true%' THEN 1 ELSE 0 END
   + CASE WHEN payload ILIKE '%/var/run/docker.sock%' OR payload ILIKE '%"/proc%' OR payload ILIKE '%"/sys%' THEN 1 ELSE 0 END) AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%kubernetes%'
  AND (
    "objectRef_resource" IN ('cronjobs', 'jobs')
    OR payload ILIKE '%"resource":"cronjobs"%'
    OR payload ILIKE '%"resource":"jobs"%'
  )
  AND (
    "verb" IN ('create', 'update', 'patch')
    OR payload ILIKE '%"verb":"create"%'
    OR payload ILIKE '%"verb":"update"%'
    OR payload ILIKE '%"verb":"patch"%'
  )
  AND (
    payload ILIKE '%alpine%' OR payload ILIKE '%busybox%' OR payload ILIKE '%kali%'
    OR payload ILIKE '%netcat%' OR payload ILIKE '%nmap%' OR payload ILIKE '%ncat%'
    OR payload ILIKE '%hostPath%' OR payload ILIKE '%"privileged":true%'
    OR payload ILIKE '%"hostNetwork":true%' OR payload ILIKE '%/dev/tcp%'
    OR payload ILIKE '%mkfifo%' OR payload ILIKE '%socat%'
    OR payload ILIKE '%/var/run/docker.sock%' OR payload ILIKE '%base64 -d%'
  )
  AND starttime > NOW() - 86400000
ORDER BY suspicion_score DESC, starttime DESC
high severity medium confidence

Detects suspicious Kubernetes CronJob and Job creation events in IBM QRadar by applying a multi-factor suspicion scoring model against the raw audit log payload using ILIKE pattern matching. Custom DSM properties objectRef_resource, objectRef_namespace, objectRef_name, verb, and userAgent must be configured in the Kubernetes log source DSM. Falls back to payload-level ILIKE matching when custom properties are unavailable. Scores events from 0 to 6 based on attacker-indicative signals.

Data Sources

IBM QRadar Kubernetes DSM log sourceQRadar Universal DSM with Kubernetes API server audit log ingestion

Required Tables

events

False Positives & Tuning

  • Authorized security scanning or pen-test CronJobs deploying nmap, netcat, or masscan containers in designated test namespaces
  • DevOps tooling that routinely deploys alpine or ubuntu utility pods for ephemeral maintenance and configuration jobs
  • Node-level monitoring CronJobs that mount hostPath volumes for log collection or disk metrics aggregation
Download portable Sigma rule (.yml)

Other platforms for T1053.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.

  2. Test 2Create Privileged Kubernetes Job with Host Path Mount

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.

  3. Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.

  4. Test 4Deploy Cryptomining CronJob via kubectl

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.005Scheduled TaskT1053.006Systemd Timers

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1610Deploy ContainerT1611Escape to HostT1552.007Container APIT1078.004Cloud AccountsT1059.004Unix ShellT1496Resource HijackingT1105Ingress Tool TransferT1046Network Service Discovery

Same Tactic: Execution

Popular Detections