An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578 | Modify Cloud Compute Infrastructure | |
| action.hacking.vector.Hypervisor | Hypervisor break-out attack | related-to | T1578 | Modify Cloud Compute Infrastructure | |
| action.hacking.vector.Inter-tenant | Penetration of another VM or web site on shared device or infrastructure | related-to | T1578 | Modify Cloud Compute Infrastructure |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.
References
|
| security_command_center | Security Command Center | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1578.004 | Revert Cloud Instance | 1 |
| T1578.003 | Delete Cloud Instance | 12 |
| T1578.005 | Modify Cloud Compute Configurations | 11 |
| T1578.002 | Create Cloud Instance | 12 |
| T1578.001 | Create Snapshot | 12 |