Home
ATT&CK Techniques
T1578 Modify Cloud Compute Infrastructure

T1578 Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.AA-05.01	Access privilege limitation	Mitigates	T1578	Modify Cloud Compute Infrastructure	Comments This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. References
PR.AA-01.02	Physical and logical access	Mitigates	T1578	Modify Cloud Compute Infrastructure	Comments This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. References
PR.PS-01.09	Virtualized end point protection	Mitigates	T1578	Modify Cloud Compute Infrastructure	Comments The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. References
PR.AA-01.01	Identity and credential management	Mitigates	T1578	Modify Cloud Compute Infrastructure	Comments This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-05	Access Restrictions for Change	mitigates	T1578	Modify Cloud Compute Infrastructure
IA-06	Authentication Feedback	mitigates	T1578	Modify Cloud Compute Infrastructure
IA-04	Identifier Management	mitigates	T1578	Modify Cloud Compute Infrastructure
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1578	Modify Cloud Compute Infrastructure
CM-02	Baseline Configuration	mitigates	T1578	Modify Cloud Compute Infrastructure
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1578	Modify Cloud Compute Infrastructure
SI-04	System Monitoring	mitigates	T1578	Modify Cloud Compute Infrastructure
AC-02	Account Management	mitigates	T1578	Modify Cloud Compute Infrastructure
AC-03	Access Enforcement	mitigates	T1578	Modify Cloud Compute Infrastructure
AC-05	Separation of Duties	mitigates	T1578	Modify Cloud Compute Infrastructure
AC-06	Least Privilege	mitigates	T1578	Modify Cloud Compute Infrastructure

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1578	Modify Cloud Compute Infrastructure
action.hacking.vector.Hypervisor	Hypervisor break-out attack	related-to	T1578	Modify Cloud Compute Infrastructure
action.hacking.vector.Inter-tenant	Penetration of another VM or web site on shared device or infrastructure	related-to	T1578	Modify Cloud Compute Infrastructure

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
microsoft_sentinel	Microsoft Sentinel	technique_scores	T1578	Modify Cloud Compute Infrastructure	Comments The Microsoft Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes. References https://learn.microsoft.com/en-us/azure/sentinel/overview https://learn.microsoft.com/en-us/azure/sentinel/hunting
azure_role_based_access_control	Azure Role-Based Access Control	technique_scores	T1578	Modify Cloud Compute Infrastructure	Comments This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score. References https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1578	Modify Cloud Compute Infrastructure	Comments Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']
policy_intelligence	Policy Intelligence	technique_scores	T1578	Modify Cloud Compute Infrastructure	Comments Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components. References ['https://cloud.google.com/policy-intelligence']
security_command_center	Security Command Center	technique_scores	T1578	Modify Cloud Compute Infrastructure	Comments SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant. References ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview' 'https://github.com/GoogleCloudPlatform/security-analytics']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1578.004	Revert Cloud Instance	3
T1578.003	Delete Cloud Instance	15
T1578.005	Modify Cloud Compute Configurations	15
T1578.002	Create Cloud Instance	15
T1578.001	Create Snapshot	15