T1578 Modify Cloud Compute Infrastructure Mappings

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578 Modify Cloud Compute Infrastructure
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1578 Modify Cloud Compute Infrastructure
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1578 Modify Cloud Compute Infrastructure

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral
References
policy_intelligence Policy Intelligence technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.
References
security_command_center Security Command Center technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1578.004 Revert Cloud Instance 1
T1578.003 Delete Cloud Instance 1
T1578.005 Modify Cloud Compute Configurations 5
T1578.002 Create Cloud Instance 1
T1578.001 Create Snapshot 1