Modify Cloud Compute Configurations
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.
let SuspiciousComputeOps = dynamic([
"MICROSOFT.QUOTA/QUOTAS/WRITE",
"MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE",
"MICROSOFT.CAPACITY/CATALOGS/OFFERS/WRITE",
"MICROSOFT.COMPUTE/LOCATIONS/USAGES/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE",
"MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/DELETE",
"MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/LOCATIONS/WRITE",
"MICROSOFT.FEATURES/FEATURES/REGISTER",
"MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER"
]);
AzureActivity
| where TimeGenerated > ago(24h)
| where tostring(OperationNameValue) has_any (SuspiciousComputeOps)
| where ActivityStatusValue =~ "Success" or ActivityStatusValue =~ "Succeeded"
| extend CallerUPN = tostring(Claims.upn)
| extend CallerAppId = tostring(Claims.appid)
| extend CallerObjectId = tostring(Claims.oid)
| extend IsServicePrincipal = isempty(CallerUPN)
| extend EffectiveCaller = iif(IsServicePrincipal, strcat("SP:", CallerAppId), CallerUPN)
| extend PolicyOperation = OperationNameValue has "POLICYASSIGNMENT" or OperationNameValue has "POLICYEXEMPTION" or OperationNameValue has "POLICYSETDEFINITION"
| extend QuotaOperation = OperationNameValue has "QUOTA" or OperationNameValue has "CAPACITY"
| extend RegionOperation = OperationNameValue has "LOCATIONS" or OperationNameValue has "FEATURES"
| project TimeGenerated, CallerIpAddress, EffectiveCaller, CallerUPN, CallerAppId, IsServicePrincipal,
OperationNameValue, ResourceGroup, _ResourceId, SubscriptionId,
PolicyOperation, QuotaOperation, RegionOperation,
Properties, HTTPRequest
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Cloud infrastructure teams legitimately requesting quota increases for planned expansion or new workloads
- Azure Policy assignments being modified during sanctioned governance reviews or policy updates by the security team
- DevOps automation pipelines (Terraform, Bicep, Azure DevOps) that manage infrastructure-as-code including policy and quota configurations
- Cloud governance tooling (Azure Blueprints, Defender for Cloud regulatory compliance) that modifies policy assignments as part of compliance remediation
- Service principals used by approved CSPM or cloud management platforms that regularly enumerate or adjust resource configurations
References (9)
- https://attack.mitre.org/techniques/T1578/005/
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
- https://learn.microsoft.com/en-us/rest/api/quota/quota/update
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md
Unlock Pro Content
Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.