Description
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
Platforms
Mitigations (2)
User Account ManagementM1018
Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.
Privileged Account ManagementM1026
Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.(Citation: Kubernetes Hardening Guide)
References
- The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021.
- Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.
Frequently Asked Questions
What is T1053.007 (Container Orchestration Job)?
T1053.007 is a MITRE ATT&CK technique named 'Container Orchestration Job'. It belongs to the Execution, Persistence, Privilege Escalation tactic(s). Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container or...
How can T1053.007 be detected?
Detection of T1053.007 (Container Orchestration Job) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1053.007?
There are 2 documented mitigations for T1053.007. Key mitigations include: User Account Management, Privileged Account Management.
Which threat groups use T1053.007?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.