An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578 | Modify Cloud Compute Infrastructure | |
| action.hacking.vector.Hypervisor | Hypervisor break-out attack | related-to | T1578 | Modify Cloud Compute Infrastructure | |
| action.hacking.vector.Inter-tenant | Penetration of another VM or web site on shared device or infrastructure | related-to | T1578 | Modify Cloud Compute Infrastructure |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1578.004 | Revert Cloud Instance | 1 |
| T1578.003 | Delete Cloud Instance | 1 |
| T1578.005 | Modify Cloud Compute Configurations | 2 |
| T1578.002 | Create Cloud Instance | 1 |
| T1578.001 | Create Snapshot | 1 |