Kubernetes CronJob/Job Modification

calendar Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.execution  ·
Share on: linkedin copy

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Sigma rule (View on GitHub)

 1title: Kubernetes CronJob/Job Modification
 2id: 0c9b3bda-41a6-4442-9345-356ae86343dc
 3related:
 4    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
 5      type: similar
 6status: experimental
 7description: |
 8    Detects when a Kubernetes CronJob or Job is created or modified.
 9    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
10    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.    
11references:
12    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
13    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
14author: kelnage
15date: 2024-07-11
16tags:
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.execution
20logsource:
21    product: kubernetes
22    service: audit
23detection:
24    selection:
25        objectRef.apiGroup: 'batch'
26        objectRef.resource:
27            - 'cronjobs'
28            - 'jobs'
29        verb:
30            - 'create'
31            - 'delete'
32            - 'patch'
33            - 'replace'
34            - 'update'
35    condition: selection
36falsepositives:
37    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
38    - Automated processes may need to take these actions and may need to be filtered.
39level: medium

References

  • kube-apiserver Audit Configuration (v1)

    Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.


    Read More

  • Protecting Kubernetes Against MITRE ATT&CK: Persistence

    This is part three of a nine-part blog series where we examine each of the nine Kubernetes threat vectors across 40 attack techniques and provide actionable advice to mitigate these threats.


    Read More

Related rules

to-top