T1053.007 - Kubernetes Cronjob

Description from ATT&CK

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)

Atomic Tests


Atomic Test #1 - ListCronjobs

Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Supported Platforms: Containers

auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | namespace | K8s namespace to list | string | default|

Attack Commands: Run with
1
bash
!

1
kubectl get cronjobs -n #{namespace}

Dependencies: Run with
1
bash
!

Description: kubectl must be installed
Check Prereq Commands:
1
which kubectl
Get Prereq Commands:
1
echo "kubectl must be installed manually"



Atomic Test #2 - CreateCronjob

Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Supported Platforms: Containers

auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | namespace | K8s namespace to list | string | default|

Attack Commands: Run with
1
bash
!

1
kubectl create -f src/cronjob.yaml -n #{namespace}

Cleanup Commands:

1
kubectl delete cronjob art -n #{namespace}

Dependencies: Run with
1
bash
!

Description: kubectl must be installed
Check Prereq Commands:
1
which kubectl
Get Prereq Commands:
1
echo "kubectl must be installed manually"