Info
ID: AT-DC007.001
Technique: Scheduled Task
Tactic: Deepening Control
Platforms: Linux, macOS, Windows, K8s, IaaS
Permissions Required: Container orchestrator access or container management privileges
Version: 1.0
Container
Scheduled task manipulation within container environments is a sophisticated persistence technique employed during the Deepening Control phase, where attackers compromise containerized workloads to maintain presence and execute commands at predetermined intervals. This technique exploits the container orchestration mechanisms like Kubernetes CronJobs, Docker scheduled tasks, or container init systems (systemd, cron) to create tasks that periodically execute malicious code. Adversaries typically modify container images, inject malicious entries into configuration files, or leverage container orchestration APIs to establish these scheduled operations. Once implemented, these tasks can perform various malicious activities including command-and-control communications, lateral movement attempts, or privilege escalation, all while blending with legitimate container operations. This technique is particularly challenging to detect as it operates within ephemeral container environments where logging may be limited and because scheduled tasks often appear as normal automation within containerized infrastructure.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0032 | Container: Container Creation | Alert when new CronJob resources are created by service accounts without create RBAC permissions or outside standard deployment pipelines. |
| DS0032 | Container: Container Start | Detect containers started by CronJobs whose image digests are not in the approved image allow-list. |
| DS0003 | Scheduled Job Creation | Identify CronJobs specifying privileged pods, hostNetwork, or secret mounts atypical for the namespace. |
| DS0022 | File: File Modification | Monitor container filesystem for unexpected edits to /etc/crontab or /etc/periodic/* after image start. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Enforce namespace-scoped service accounts and remove default automount of service-account tokens to limit CronJob abuse. |
| M1038 | Execution Prevention | Apply PodSecurityPolicy/OPA Gatekeeper/Kyverno rules to prohibit jobs with privileged or hostPath settings. |
| M1047 | Audit | Enable audit-logs for batch/v1 CronJob API calls and forward to SIEM with anomaly baselines. |