Detect Container Orchestration Job in Sumo Logic CSE
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.007 Container Orchestration Job
- Canonical reference
- https://attack.mitre.org/techniques/T1053/007/
Sumo Detection Query
_sourceCategory=kubernetes/audit
| json field=_raw "verb" as verb nodrop
| json field=_raw "objectRef.resource" as resource nodrop
| json field=_raw "objectRef.namespace" as namespace nodrop
| json field=_raw "objectRef.name" as resource_name nodrop
| json field=_raw "user.username" as actor nodrop
| json field=_raw "userAgent" as user_agent nodrop
| json field=_raw "sourceIPs[0]" as source_ip nodrop
| json field=_raw "requestObject" as request_body nodrop
| where resource in ("cronjobs", "jobs")
| where verb in ("create", "update", "patch")
| eval IsSuspiciousImage = if(matches(request_body, "(?i)(alpine|busybox|ubuntu|debian|kali|python|perl|ruby|php|ncat|netcat|nmap|masscan)"), 1, 0)
| eval IsSuspiciousCmd = if(matches(request_body, "(?i)(bash -i|/dev/tcp|mkfifo|socat|base64 -d|ncat|chmod \\+x)"), 1, 0)
| eval IsHostPath = if(matches(request_body, "hostPath"), 1, 0)
| eval IsPrivileged = if(matches(request_body, "privileged.*true"), 1, 0)
| eval IsHostNetwork = if(matches(request_body, "hostNetwork.*true"), 1, 0)
| eval IsSensitiveMount = if(matches(request_body, "(/var/run/docker.sock|/proc|/sys)"), 1, 0)
| eval SuspicionScore = IsSuspiciousImage + IsSuspiciousCmd + IsHostPath + IsPrivileged + IsHostNetwork + IsSensitiveMount
| where SuspicionScore > 0
| fields _messagetime, resource, verb, namespace, resource_name, actor, user_agent, source_ip, IsSuspiciousImage, IsSuspiciousCmd, IsHostPath, IsPrivileged, IsHostNetwork, IsSensitiveMount, SuspicionScore
| sort by SuspicionScore desc, _messagetime descDetects suspicious Kubernetes CronJob and Job creation events in Sumo Logic by extracting structured fields from Kubernetes API server audit logs and computing a multi-factor suspicion score. Parses the requestObject JSON blob and evaluates six independent risk signals: attacker-favored container images, shell escape sequences, hostPath volume mounts, privileged container flags, host network sharing, and sensitive filesystem access. Events scoring above zero are surfaced ranked by severity.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Python or Ruby container-based data pipeline CronJobs scheduled by analytics or ML teams
- Security team authorized CronJobs running kali or nmap containers for scheduled vulnerability scans in isolated test namespaces
- Infrastructure automation jobs using hostPath mounts for node-level log agent deployment or disk usage monitoring
Other platforms for T1053.007
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Kubernetes CronJob with Reverse Shell Command
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, objectRef.namespace=default, objectRef.name=argus-test-cronjob. Request body will contain image=alpine:latest, command /bin/sh -c, args with nc reverse shell. Subsequent Job and Pod creation events will appear as the schedule triggers. Pod logs will show connection failure.
- Test 2Create Privileged Kubernetes Job with Host Path Mount
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=jobs, request body contains image=busybox:latest, securityContext.privileged=true, hostPath.path=/etc. Pod creation event follows. Container process execution visible in node container runtime logs and Falco alerts if deployed.
- Test 3Create Kubernetes CronJob Using Docker Socket Mount for Container Escape
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains hostPath.path=/var/run/docker.sock. Schedule */5 * * * * triggers Jobs periodically. Container execution attempts to access the Docker socket. Falco rule 'Write below monitored dir' or 'Container with sensitive mount' may trigger.
- Test 4Deploy Cryptomining CronJob via kubectl
Expected signal: Kubernetes API audit log: verb=create, objectRef.resource=cronjobs, request body contains image=ubuntu:20.04, command with curl download, chmod +x, and execution of downloaded binary. Subsequent pod creation when schedule triggers. Container logs show download failure. Sysmon/auditd on node would show curl process and chmod if running.
References (11)
- https://attack.mitre.org/techniques/T1053/007/
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://falco.org/docs/rules/
- https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
- https://docs.microsoft.com/en-us/azure/aks/monitor-aks
- https://www.cncf.io/blog/2021/12/06/cloud-native-security-whitepaper/
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/kubernetes
Unlock Pro Content
Get the full detection package for T1053.007 including response playbook, investigation guide, and atomic red team tests.