T1578 Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.01 Access privilege limitation Mitigates T1578 Modify Cloud Compute Infrastructure
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
    PR.AA-01.02 Physical and logical access Mitigates T1578 Modify Cloud Compute Infrastructure
    Comments
    This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
    References
      PR.PS-01.09 Virtualized end point protection Mitigates T1578 Modify Cloud Compute Infrastructure
      Comments
      The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
      References
        PR.AA-01.01 Identity and credential management Mitigates T1578 Modify Cloud Compute Infrastructure
        Comments
        This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
        References

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578 Modify Cloud Compute Infrastructure
          action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1578 Modify Cloud Compute Infrastructure
          action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1578 Modify Cloud Compute Infrastructure

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          microsoft_sentinel Microsoft Sentinel technique_scores T1578 Modify Cloud Compute Infrastructure
          Comments
          The Microsoft Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes.
          References
          azure_role_based_access_control Azure Role-Based Access Control technique_scores T1578 Modify Cloud Compute Infrastructure
          Comments
          This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
          References

          GCP Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          google_secops Google Security Operations technique_scores T1578 Modify Cloud Compute Infrastructure
          Comments
          Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral
          References
          policy_intelligence Policy Intelligence technique_scores T1578 Modify Cloud Compute Infrastructure
          Comments
          Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.
          References
          security_command_center Security Command Center technique_scores T1578 Modify Cloud Compute Infrastructure
          Comments
          SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.
          References

          ATT&CK Subtechniques

          Technique ID Technique Name Number of Mappings
          T1578.004 Revert Cloud Instance 3
          T1578.003 Delete Cloud Instance 15
          T1578.005 Modify Cloud Compute Configurations 15
          T1578.002 Create Cloud Instance 15
          T1578.001 Create Snapshot 15