Esc
Container Orchestration Job - T1053.007

(ATT&CK® Technique)
Definition

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1053007["Container Orchestration Job"] --> |modifies| JobSchedule["Job Schedule"]; class T1053007 OffensiveTechniqueNode;
        class JobSchedule ArtifactNode; click JobSchedule href "/dao/artifact/d3f:JobSchedule";
        click T1053007 href "/offensive-technique/attack/T1053.007/"; click JobSchedule href "/dao/artifact/d3f:JobSchedule"; T1053007["Container Orchestration Job"] --> |invokes| CreateProcess["Create Process"]; class T1053007 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1053007 href "/offensive-technique/attack/T1053.007/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1053007["Container Orchestration Job"] --> |executes| ScheduledJob["Scheduled Job"]; class T1053007 OffensiveTechniqueNode;
        class ScheduledJob ArtifactNode; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob";
        click T1053007 href "/offensive-technique/attack/T1053.007/"; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob";      Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | isolates | ScheduledJob["Scheduled Job"];

          
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
          | isolates | ScheduledJob["Scheduled Job"];

          Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class Kernel-basedProcessIsolation DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
          | isolates | ScheduledJob["Scheduled Job"];

          Application-basedProcessIsolation["Application-based Process Isolation"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class Application-basedProcessIsolation DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";             HostShutdown["Host Shutdown"] -->
          | terminates | ScheduledJob["Scheduled Job"];

          HostShutdown["Host Shutdown"] -.->
            | may-evict | T1053007["Container Orchestration Job"] ;
          class HostShutdown DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
          | terminates | ScheduledJob["Scheduled Job"];

          ProcessTermination["Process Termination"] -.->
            | may-evict | T1053007["Container Orchestration Job"] ;
          class ProcessTermination DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
          | suspends | ScheduledJob["Scheduled Job"];

          ProcessSuspension["Process Suspension"] -.->
            | may-evict | T1053007["Container Orchestration Job"] ;
          class ProcessSuspension DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click ProcessSuspension href "/technique/d3f:ProcessSuspension";       ScheduledJobAnalysis["Scheduled Job Analysis"] -->
          | analyzes | JobSchedule["Job Schedule"];

          ScheduledJobAnalysis["Scheduled Job Analysis"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class ScheduledJobAnalysis DefensiveTechniqueNode;
          class JobSchedule ArtifactNode;
          click ScheduledJobAnalysis href "/technique/d3f:ScheduledJobAnalysis"; SystemDaemonMonitoring["System Daemon Monitoring"] -->
          | monitors | ScheduledJob["Scheduled Job"];

          SystemDaemonMonitoring["System Daemon Monitoring"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class SystemDaemonMonitoring DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring";     ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
          | analyzes | ScheduledJob["Scheduled Job"];

          ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | ScheduledJob["Scheduled Job"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";         HostReboot["Host Reboot"] -->
          | terminates | ScheduledJob["Scheduled Job"];

          HostReboot["Host Reboot"] -.->
            | may-evict | T1053007["Container Orchestration Job"] ;
          class HostReboot DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click HostReboot href "/technique/d3f:HostReboot"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
          | analyzes | ScheduledJob["Scheduled Job"];

          ProcessLineageAnalysis["Process Lineage Analysis"] -.->
            | may-detect | T1053007["Container Orchestration Job"] ;
          class ProcessLineageAnalysis DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";     SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1053007["Container Orchestration Job"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
          | isolates | ScheduledJob["Scheduled Job"];

          
          class SystemCallFiltering DefensiveTechniqueNode;
          class ScheduledJob ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";
json