T1053.007 Microsoft Sentinel · KQL

Detect Container Orchestration Job in Microsoft Sentinel

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.007 Container Orchestration Job
Canonical reference
https://attack.mitre.org/techniques/T1053/007/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect suspicious Kubernetes CronJob/Job creation via Kubernetes audit logs ingested into Sentinel
// Requires AzureDiagnostics or AKS audit log ingestion via Diagnostic Settings
let SuspiciousImages = dynamic([
  "alpine", "busybox", "ubuntu", "debian", "kali",
  "python", "perl", "ruby", "php",
  "ncat", "netcat", "nmap", "masscan",
  "curl", "wget"
]);
let SuspiciousCommands = dynamic([
  "curl", "wget", "bash -i", "/dev/tcp", "nc ", "ncat",
  "python -c", "perl -e", "ruby -e",
  "chmod +x", "base64 -d", "eval",
  "/bin/sh -c", "/bin/bash -c",
  "mkfifo", "socat"
]);
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "kube-audit" or Category == "kube-audit-admin"
| extend AuditLog = parse_json(log_s)
| extend
    Verb = tostring(AuditLog.verb),
    Resource = tostring(AuditLog.objectRef.resource),
    Namespace = tostring(AuditLog.objectRef.namespace),
    Name = tostring(AuditLog.objectRef.name),
    User = tostring(AuditLog.user.username),
    UserAgent = tostring(AuditLog.userAgent),
    SourceIP = tostring(AuditLog.sourceIPs[0]),
    RequestBody = tostring(AuditLog.requestObject)
| where Resource in~ ("cronjobs", "jobs")
| where Verb in~ ("create", "update", "patch")
| extend IsSuspiciousImage = RequestBody has_any (SuspiciousImages)
| extend IsSuspiciousCommand = RequestBody has_any (SuspiciousCommands)
| extend IsHostPathMount = RequestBody has "hostPath"
| extend IsPrivileged = RequestBody has "privileged"
| extend IsHostNetwork = RequestBody has "hostNetwork"
| extend IsSensitiveMount = RequestBody has_any ("/etc", "/var/run/docker.sock", "/proc", "/sys")
| extend IsServiceAccountToken = RequestBody has "automountServiceAccountToken"
| extend SuspicionScore = toint(IsSuspiciousImage) + toint(IsSuspiciousCommand) + toint(IsHostPathMount) + toint(IsPrivileged) + toint(IsHostNetwork) + toint(IsSensitiveMount)
| where SuspicionScore > 0
| project
    TimeGenerated, Resource, Verb, Namespace, Name,
    User, UserAgent, SourceIP,
    IsSuspiciousImage, IsSuspiciousCommand, IsHostPathMount,
    IsPrivileged, IsHostNetwork, IsSensitiveMount,
    IsServiceAccountToken, SuspicionScore,
    RequestBody
| sort by SuspicionScore desc, TimeGenerated desc
high severity medium confidence

Detects suspicious Kubernetes CronJob or Job creation and modification via AKS audit logs ingested into Microsoft Sentinel via Azure Diagnostics. Identifies resource creation using suspicious base images, dangerous command patterns (reverse shells, download cradles), privileged containers, host path mounts, and sensitive volume mounts. Assigns a suspicion score based on multiple risk indicators to prioritize alerts.

Data Sources

Cloud Service: Cloud Service ModificationKubernetes Audit LogsAzure Kubernetes Service Diagnostic Logs

Required Tables

AzureDiagnostics

False Positives & Tuning

  • Legitimate CI/CD pipeline jobs that use base images like alpine or ubuntu for build tasks
  • Cluster maintenance CronJobs that use curl or wget to check service health endpoints
  • Log rotation or data cleanup jobs that use shell commands like /bin/sh -c
  • Security scanning jobs (Falco, Trivy, kube-bench) that mount host paths for vulnerability assessment
  • Operators and controllers that create jobs programmatically as part of normal cluster operations
Download portable Sigma rule (.yml)

Other platforms for T1053.007

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.

  2. Test 2Create Privileged Kubernetes Job with Host Path Mount

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.

  3. Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.

  4. Test 4Deploy Cryptomining CronJob via kubectl

    Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.003CronT1053.005Scheduled TaskT1053.006Systemd Timers

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1610Deploy ContainerT1611Escape to HostT1552.007Container APIT1078.004Cloud AccountsT1059.004Unix ShellT1496Resource HijackingT1105Ingress Tool TransferT1046Network Service Discovery

Same Tactic: Execution

Popular Detections