MITRE ATT&CK Technique
Description
Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-29T17:06:22.247Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse task scheduling functionality provided '
'by container orchestration tools such as Kubernetes to '
'schedule deployment of containers configured to execute '
'malicious code. Container orchestration jobs run these '
'automated tasks at a specific date and time, similar to cron '
'jobs on a Linux system. Deployments of this type can also be '
'configured to maintain a quantity of containers over time, '
'automating the process of maintaining persistence within a '
'cluster.\n'
'\n'
'In Kubernetes, a CronJob may be used to schedule a Job that '
'runs one or more containers to perform specific '
'tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes '
'CronJob) An adversary therefore may utilize a CronJob to '
'schedule deployment of a Job that executes malicious code in '
'various nodes within a cluster.(Citation: Threat Matrix for '
'Kubernetes)',
'external_references': [{'external_id': 'T1053.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1053/007'},
{'description': 'The Kubernetes Authors. (n.d.). '
'Kubernetes CronJob. Retrieved March '
'29, 2021.',
'source_name': 'Kubernetes CronJob',
'url': 'https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/'},
{'description': 'The Kubernetes Authors. (n.d.). '
'Kubernetes Jobs. Retrieved March 30, '
'2021.',
'source_name': 'Kubernetes Jobs',
'url': 'https://kubernetes.io/docs/concepts/workloads/controllers/job/'},
{'description': 'Weizman, Y. (2020, April 2). Threat '
'Matrix for Kubernetes. Retrieved '
'March 30, 2021.',
'source_name': 'Threat Matrix for Kubernetes',
'url': 'https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/'}],
'id': 'attack-pattern--1126cab1-c700-412f-a510-61f4937bb096',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:25.363Z',
'name': 'Container Orchestration Job',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)',
'Vishwas Manral, McAfee',
'Yossi Weizman, Azure Defender Research Team'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers'],
'x_mitre_version': '1.4'}