| ID | Name |
|---|---|
| ATAGS-T1059.001 | At |
| ATAGS-T1059.002 | Container Orchestration Job |
| ATAGS-T1059.003 | Cron |
| ATAGS-T1059.004 | Scheduled Task |
| ATAGS-T1059.005 | Systemd Timers |
Threat actors may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.