1. Home
  2. Techniques
  3. Enterprise
  4. Modify Cloud Compute Infrastructure
  5. Modify Cloud Compute Configurations

Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

ID Name
T1578.001 Create Snapshot
T1578.002 Create Cloud Instance
T1578.003 Delete Cloud Instance
T1578.004 Revert Cloud Instance
T1578.005 Modify Cloud Compute Configurations

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.

For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional Resource Hijacking without raising suspicion by using up a victim’s entire quota.[1] Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.[2]

Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling Unused/Unsupported Cloud Regions.

ID: T1578.005
Sub-technique of:  T1578
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Amir Gharib, Microsoft Threat Intelligence; Blake Strom, Microsoft Threat Intelligence
Version: 2.0
Created: 05 September 2023
Last Modified: 25 September 2024
Version Permalink

Mitigations

ID Mitigation Description
M1047 Audit

Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.
M1018 User Account Management

Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Modification

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. In Azure environments, monitor for changes to tenant-level settings such as enabled regions.[1]

References

  1. Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.
  1. Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.