T1578: Modify Cloud Compute Infrastructure
| View on MITRE ATT&CK | T1578 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Volume Deletion (Volume)
Removal of a a cloud volume (ex: AWS delete-volume)Snapshot Modification (Snapshot)
Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)Volume Metadata (Volume)
Contextual data about a cloud volume and activity around it, such as id, type, state, and sizeVolume Modification (Volume)
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)Instance Deletion (Instance)
Removal of an instance (ex: instance.delete within GCP Audit Logs)Cloud Service Metadata (Cloud Service)
Contextual data about a cloud service and activity around it such as name, type, or purpose/functionSnapshot Deletion (Snapshot)
Removal of a snapshot (ex: AWS delete-snapshot)Snapshot Metadata (Snapshot)
Contextual data about a snapshot, which may include information such as ID, type, and statusInstance Creation (Instance)
Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)Snapshot Creation (Snapshot)
Initial construction of a new snapshot (ex: AWS create-snapshot)Instance Modification (Instance)
Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)Instance Metadata (Instance)
Contextual data about an instance and activity around it such as name, type, or statusVolume Creation (Volume)
Initial construction of a cloud volume (ex: AWS create-volume)Instance Start (Instance)
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)Instance Stop (Instance)
Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.