title: Container Orchestration Job (T1053.007)
id: df00tech-t1053-007
status: experimental
description: "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks. An adversary may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster."
references:
  - https://attack.mitre.org/techniques/T1053/007/
  - https://df00tech.com/detections/T1053.007
author: df00tech
date: 2026/04/16
tags:
  - attack.t1053.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate CI/CD pipeline jobs that use base images like alpine or ubuntu for build tasks
  - Cluster maintenance CronJobs that use curl or wget to check service health endpoints
  - Log rotation or data cleanup jobs that use shell commands like /bin/sh -c
  - "Security scanning jobs (Falco, Trivy, kube-bench) that mount host paths for vulnerability assessment"
  - Operators and controllers that create jobs programmatically as part of normal cluster operations
level: high