Kubernetes CronJob/Job Modification

Rule Info

Name
Kubernetes CronJob/Job Modification
Author
kelnage
Description
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Reference
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
Date
2024-07-11 00:00:00
Modified
None
Id
0c9b3bda-41a6-4442-9345-356ae86343dc
Tags
attack.persistence attack.privilege-escalation attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0c9b3bda-41a6-4442-9345-356ae86343dc

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nick Moore
Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format
2024-07-11
97034d23b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022