1. Home
  2. ATT&CK Techniques
  3. T1578.005 Modify Cloud Compute Configurations

T1578.005 Modify Cloud Compute Configurations

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.

For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional Resource Hijacking without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)

Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling Unused/Unsupported Cloud Regions.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.02 Physical and logical access Mitigates T1578.005 Modify Cloud Compute Configurations
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
    PR.PS-01.09 Virtualized end point protection Mitigates T1578.005 Modify Cloud Compute Configurations
    Comments
    The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
    References
      PR.AA-01.01 Identity and credential management Mitigates T1578.005 Modify Cloud Compute Configurations
      Comments
      This diagnostic statement protects against Modify Cloud Compute Configurations through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        AC-20 Use of External Systems mitigates T1578.005 Modify Cloud Compute Configurations
        AC-06 Least Privilege mitigates T1578.005 Modify Cloud Compute Configurations
        AC-03 Access Enforcement mitigates T1578.005 Modify Cloud Compute Configurations
        AC-02 Account Management mitigates T1578.005 Modify Cloud Compute Configurations
        CM-03 Configuration Change Control mitigates T1578.005 Modify Cloud Compute Configurations

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1578.005 Modify Cloud Compute Configurations
        action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1578.005 Modify Cloud Compute Configurations

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        azure_role_based_access_control Azure Role-Based Access Control technique_scores T1578.005 Modify Cloud Compute Configurations
        Comments
        This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
        References
        1. https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        google_secops Google Security Operations technique_scores T1578.005 Modify Cloud Compute Configurations
        Comments
        Google Security Operations is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral
        References
        1. ['https://cloud.google.com/security/products/security-operations'
        2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
        3. 'https://github.com/chronicle/detection-rules']
        policy_intelligence Policy Intelligence technique_scores T1578.005 Modify Cloud Compute Configurations
        Comments
        Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.
        References
        1. ['https://cloud.google.com/policy-intelligence']
        security_command_center Security Command Center technique_scores T1578.005 Modify Cloud Compute Configurations
        Comments
        SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.
        References
        1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
        2. 'https://github.com/GoogleCloudPlatform/security-analytics']

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        aws_config AWS Config technique_scores T1578.005 Modify Cloud Compute Configurations
        Comments
        AWS Config managed rules can periodically evaluate resource configurations to provide partial detection coverage for Cloud Compute Configuration changes.
        References
        1. https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html