K-CRONJOB-PERSISTPersistence

Malicious CronJob / DaemonSet

Create a privileged CronJob or DaemonSet that re-implants the attacker on every node — survives pod restarts.

§ Where this technique fits

K-CRONJOB-PERSIST is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
step 4 / 6
Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
step 6 / 6

§ What commonly comes next

01
Privileged Container Escape
K-PRIV-CONTAINER · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ArgoCD weak RBAC → cluster admin via custom Application

Docker socket exposed in pod → host root

§ What commonly comes next