Orchestration Job

Within the "Deepening Control" phase, adversaries exploit CI/CD and infrastructure orchestration systems by manipulating orchestration jobs to schedule persistent execution of malicious code. This sub-technique of Scheduled Task involves creating or modifying jobs in platforms like Kubernetes CronJobs, Jenkins pipelines, GitHub Actions, GitLab CI, or Terraform automation to execute attacker code at predefined intervals. The significant security challenge stems from these orchestration systems running with elevated privileges in environments where continuous deployment is trusted, allowing attackers to blend malicious activities within legitimate automation workflows. Since orchestration jobs typically persist through application restarts or system reboots and may execute across distributed infrastructure, they provide attackers with both persistence and potential lateral movement capabilities that are difficult to detect among normal operational automation.