T1578 Modify Cloud Compute Infrastructure Mappings

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1578 Modify Cloud Compute Infrastructure
AC-3 Access Enforcement Protects T1578 Modify Cloud Compute Infrastructure
AC-5 Separation of Duties Protects T1578 Modify Cloud Compute Infrastructure
AC-6 Least Privilege Protects T1578 Modify Cloud Compute Infrastructure
CA-8 Penetration Testing Protects T1578 Modify Cloud Compute Infrastructure
CM-5 Access Restrictions for Change Protects T1578 Modify Cloud Compute Infrastructure
IA-2 Identification and Authentication (organizational Users) Protects T1578 Modify Cloud Compute Infrastructure
IA-4 Identifier Management Protects T1578 Modify Cloud Compute Infrastructure
IA-6 Authentication Feedback Protects T1578 Modify Cloud Compute Infrastructure
RA-5 Vulnerability Monitoring and Scanning Protects T1578 Modify Cloud Compute Infrastructure
SI-4 System Monitoring Protects T1578 Modify Cloud Compute Infrastructure
azure_sentinel Azure Sentinel technique_scores T1578 Modify Cloud Compute Infrastructure
role_based_access_control Role Based Access Control technique_scores T1578 Modify Cloud Compute Infrastructure
cloud_app_security_policies Cloud App Security Policies technique_scores T1578 Modify Cloud Compute Infrastructure

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1578.002 Create Cloud Instance 13
T1578.001 Create Snapshot 13
T1578.003 Delete Cloud Instance 13
T1578.004 Revert Cloud Instance 2