An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| AC-3 | Access Enforcement | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| AC-5 | Separation of Duties | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| AC-6 | Least Privilege | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| CA-8 | Penetration Testing | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| CM-5 | Access Restrictions for Change | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| IA-4 | Identifier Management | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| IA-6 | Authentication Feedback | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1578 | Modify Cloud Compute Infrastructure | |
| SI-4 | System Monitoring | Protects | T1578 | Modify Cloud Compute Infrastructure |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
The Azure Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes.
References
|
| role_based_access_control | Role Based Access Control | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1578 | Modify Cloud Compute Infrastructure |
Comments
This control can identify anomalous admin activity.
Relevant alerts include "Multiple storage deletion activities", "Multiple VM creation activities", and "Suspicious creation activity for cloud region".
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1578.002 | Create Cloud Instance | 13 |
| T1578.001 | Create Snapshot | 13 |
| T1578.003 | Delete Cloud Instance | 13 |
| T1578.004 | Revert Cloud Instance | 2 |