MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1578.005: Modify Cloud Compute Configurations

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.

For example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional Resource Hijacking without raising suspicion by using up a victim’s entire quota. Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.

Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling Unused/Unsupported Cloud Regions. In Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources, or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

yandex_cloud: PT-CR-820: Yandex_Cloud_Virtual_Machine_Existing_Address_Assign: An existing IP address is assigned to a virtual machine
yandex_cloud: PT-CR-822: Yandex_Cloud_Virtual_Machine_Multiple_Addresses_Assign: Multiple IP addresses are assigned to a virtual machine
yandex_cloud: PT-CR-823: Yandex_Cloud_Virtual_Machine_Public_Address_Assign: An external IP address is assigned to a virtual machine
yandex_cloud: PT-CR-824: Yandex_Cloud_Virtual_Machine_Serial_Port_Enable: Access to the serial console of a virtual machine is granted

Detection

IDDS0025Data source and componentCloud Service: Cloud Service ModificationDescription

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.

Mitigation

IDM1018NameUser Account ManagementDescription

Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

IDM1047NameAuditDescription

Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.