Detect Modify Cloud Compute Configurations in Google Chronicle
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.005 Modify Cloud Compute Configurations
- Canonical reference
- https://attack.mitre.org/techniques/T1578/005/
YARA-L Detection Query
rule T1578_005_cloud_infra_modification {
meta:
author = "Detection Engineering"
description = "Detects suspicious cloud infrastructure modifications"
severity = "high"
confidence = "medium"
mitre_attack = "T1578.005"
reference = "https://attack.mitre.org/techniques/T1578/005/"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Modify Cloud Compute Configurations. Detects modifications to Azure cloud compute configurations including quota increase requests, Azure Policy assignment modifications or deletions (which could remove VM size or region restrictions), p
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud administrators performing scheduled backup snapshot creation
- Automated disaster recovery solutions creating routine cloud instance snapshots
- DevOps CI/CD pipelines creating and deleting compute instances during deployments
- Authorized cloud migration projects moving instances between regions
Other platforms for T1578.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure Quota Increase Request via Azure CLI
Expected signal: AzureActivity log entry with OperationNameValue='MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE', ActivityStatusValue='Succeeded', CallerIpAddress matching the machine running the command, Claims.upn matching the authenticated Azure CLI user.
- Test 2Delete Azure Policy Assignment via Azure CLI
Expected signal: Two AzureActivity entries: first with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' (creation), second with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' (deletion). Both with ActivityStatusValue='Succeeded'. The DELETE operation is the high-severity event that triggers alerting.
- Test 3Enable Unused Azure Region via Feature Registration
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER' or 'MICROSOFT.RESOURCES/PROVIDERS/REGISTER', ActivityStatusValue='Succeeded'. CallerIpAddress and Claims.upn identify the caller.
- Test 4Create Azure Policy Exemption to Bypass Security Control
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE', ActivityStatusValue='Succeeded'. The exemption category (Waiver vs Mitigated), scope, and referenced policy assignment are captured in the Properties field.
References (9)
- https://attack.mitre.org/techniques/T1578/005/
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
- https://learn.microsoft.com/en-us/rest/api/quota/quota/update
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md
Unlock Pro Content
Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.