- Tactics
- defense-impairment
- Platforms
- IaaS
- Reference
- attack.mitre.org/techniques/T1578
Description
An adversary may attempt to modify a cloud account’s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the defense-impairment tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1112 — Modify Registry
- T1207 — Rogue Domain Controller
- T1222 — File and Directory Permissions Modification
- T1484 — Domain or Tenant Policy Modification
- T1553 — Subvert Trust Controls
- T1556 — Modify Authentication Process
- T1599 — Network Boundary Bridging
- T1600 — Weaken Encryption
- T1601 — Modify System Image
- T1647 — Plist File Modification
- T1666 — Modify Cloud Resource Hierarchy
- T1685 — Disable or Modify Tools