1. Home
  2. ATT&CK Techniques
  3. T1578
Defense Impairment

T1578: Modify Cloud Compute Infrastructure

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modif...

T1578 · Technique ·1 platforms

Description

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

Platforms

IaaS

Sub-Techniques (5)

T1578.001

Create Snapshot

 T1578.002

Create Cloud Instance

 T1578.003

Delete Cloud Instance

 T1578.004

Revert Cloud Instance

 T1578.005

Modify Cloud Compute Configurations

Mitigations (2)

User Account ManagementM1018

Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-

AuditM1047

Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.

References

Frequently Asked Questions

What is T1578 (Modify Cloud Compute Infrastructure)?

T1578 is a MITRE ATT&CK technique named 'Modify Cloud Compute Infrastructure'. It belongs to the Defense Impairment tactic(s). An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modif...

How can T1578 be detected?

Detection of T1578 (Modify Cloud Compute Infrastructure) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1578?

There are 2 documented mitigations for T1578. Key mitigations include: User Account Management, Audit.

Which threat groups use T1578?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.