Skip to content

T1578 Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account’s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.1

Item Value
ID T1578
Sub-techniques T1578.001, T1578.002, T1578.003, T1578.004
Tactics TA0005
Platforms IaaS
Permissions required User
Version 1.1
Created 30 August 2019
Last Modified 20 April 2021

Mitigations

ID Mitigation Description
M1047 Audit Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
M1018 User Account Management Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.1

Detection

ID Data Source Data Component
DS0030 Instance Instance Creation
DS0020 Snapshot Snapshot Creation
DS0034 Volume Volume Creation

References

  1. Google. (n.d.). Audit Logs. Retrieved June 1, 2020. 

  2. Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.