An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1578 | Modify Cloud Compute Infrastructure |
AC-03 | Access Enforcement | Protects | T1578 | Modify Cloud Compute Infrastructure |
AC-05 | Separation of Duties | Protects | T1578 | Modify Cloud Compute Infrastructure |
AC-06 | Least Privilege | Protects | T1578 | Modify Cloud Compute Infrastructure |
CA-08 | Penetration Testing | Protects | T1578 | Modify Cloud Compute Infrastructure |
CM-05 | Access Restrictions for Change | Protects | T1578 | Modify Cloud Compute Infrastructure |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1578 | Modify Cloud Compute Infrastructure |
IA-04 | Identifier Management | Protects | T1578 | Modify Cloud Compute Infrastructure |
IA-06 | Authentication Feedback | Protects | T1578 | Modify Cloud Compute Infrastructure |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1578 | Modify Cloud Compute Infrastructure |
SI-04 | System Monitoring | Protects | T1578 | Modify Cloud Compute Infrastructure |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1578.003 | Delete Cloud Instance | 11 |
T1578.005 | Modify Cloud Compute Configurations | 5 |
T1578.002 | Create Cloud Instance | 11 |
T1578.001 | Create Snapshot | 11 |