Kubernetes CronJob/Job Modification

Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.

Sigma rule (View on GitHub)

 1title: Kubernetes CronJob/Job Modification
 2id: 0c9b3bda-41a6-4442-9345-356ae86343dc
 3related:
 4    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
 5      type: similar
 6status: experimental
 7description: |
 8    Detects when a Kubernetes CronJob or Job is created or modified.
 9    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
10    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.    
11references:
12    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
13    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
14author: kelnage
15date: 2024/07/11
16tags:
17    - attack.persistence
18    - attack.privilege_escalation
19    - attack.execution
20logsource:
21    product: kubernetes
22    service: audit
23detection:
24    selection:
25        objectRef.apiGroup: 'batch'
26        objectRef.resource:
27            - 'cronjobs'
28            - 'jobs'
29        verb:
30            - 'create'
31            - 'delete'
32            - 'patch'
33            - 'replace'
34            - 'update'
35    condition: selection
36falsepositives:
37    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
38    - Automated processes may need to take these actions and may need to be filtered.
39level: medium

References

Related rules

to-top