Rules: Kubernetes ListCronjobs
Detects kubectl used to list Kubernetes cronjobs. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Execution |
| Apply Risk to Entities | device_hostname, device_ip, user_username, srcDevice_ip, srcDevice_hostname, dstDevice_hostname, dstDevice_ip |
| Signal Name | Kubernetes ListCronjobs |
| Summary Expression | User: {{user_username}} ran a command using kubectl to get cronjobs |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0002, _mitreAttackTechnique:T1053, _mitreAttackTechnique:T1053.007 |
| Origin | Field |
|---|---|
| Normalized Schema | commandLine |
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | dstDevice_hostname |
| Normalized Schema | dstDevice_ip |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |