1. Home
  2. ATT&CK Techniques
  3. T1578 Modify Cloud Compute Infrastructure

T1578 Modify Cloud Compute Infrastructure Mappings

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1578 Modify Cloud Compute Infrastructure
AC-3 Access Enforcement Protects T1578 Modify Cloud Compute Infrastructure
AC-5 Separation of Duties Protects T1578 Modify Cloud Compute Infrastructure
AC-6 Least Privilege Protects T1578 Modify Cloud Compute Infrastructure
CA-8 Penetration Testing Protects T1578 Modify Cloud Compute Infrastructure
CM-5 Access Restrictions for Change Protects T1578 Modify Cloud Compute Infrastructure
IA-2 Identification and Authentication (organizational Users) Protects T1578 Modify Cloud Compute Infrastructure
IA-4 Identifier Management Protects T1578 Modify Cloud Compute Infrastructure
IA-6 Authentication Feedback Protects T1578 Modify Cloud Compute Infrastructure
RA-5 Vulnerability Monitoring and Scanning Protects T1578 Modify Cloud Compute Infrastructure
SI-4 System Monitoring Protects T1578 Modify Cloud Compute Infrastructure
azure_sentinel Azure Sentinel technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
The Azure Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
role_based_access_control Role Based Access Control technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
cloud_app_security_policies Cloud App Security Policies technique_scores T1578 Modify Cloud Compute Infrastructure
Comments
This control can identify anomalous admin activity. Relevant alerts include "Multiple storage deletion activities", "Multiple VM creation activities", and "Suspicious creation activity for cloud region".
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1578.002 Create Cloud Instance 13
T1578.001 Create Snapshot 13
T1578.003 Delete Cloud Instance 13
T1578.004 Revert Cloud Instance 2