| ID | Name |
|---|---|
| T1578.001 | Create Snapshot |
| T1578.002 | Create Cloud Instance |
| T1578.003 | Delete Cloud Instance |
| T1578.004 | Revert Cloud Instance |
| T1578.005 | Modify Cloud Compute Configurations |
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.
For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional Resource Hijacking without raising suspicion by using up a victim’s entire quota.[1] Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.[2]
Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling Unused/Unsupported Cloud Regions.
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings. |
| M1018 | User Account Management |
Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0492 | Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations | AN1356 |
Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse. |