Description
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional Resource Hijacking without raising suspicion by using up a victim’s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)
Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling Unused/Unsupported Cloud Regions.
Platforms
Mitigations (2)
User Account ManagementM1018
Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.
AuditM1047
Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.
References
- Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.
- Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.
Frequently Asked Questions
What is T1578.005 (Modify Cloud Compute Configurations)?
T1578.005 is a MITRE ATT&CK technique named 'Modify Cloud Compute Configurations'. It belongs to the Defense Impairment tactic(s). Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas,...
How can T1578.005 be detected?
Detection of T1578.005 (Modify Cloud Compute Configurations) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1578.005?
There are 2 documented mitigations for T1578.005. Key mitigations include: User Account Management, Audit.
Which threat groups use T1578.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.