Detect Modify Cloud Compute Configurations in IBM QRadar
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.005 Modify Cloud Compute Configurations
- Canonical reference
- https://attack.mitre.org/techniques/T1578/005/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
username, "Operation" AS CloudOperation,
"ResourceType" AS CloudResource,
"ResourceGroup", "SubscriptionId",
CASE
WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
WHEN "Operation" ILIKE '%create%instance%' THEN 60
ELSE 40
END AS RiskScore,
CASE
WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
ELSE 'Cloud Modification'
END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
AND username NOT ILIKE '%azure%automation%'
AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURSQRadar AQL detection for Modify Cloud Compute Configurations. Detects modifications to Azure cloud compute configurations including quota increase requests, Azure Policy assignment modifications or deletions (which could remove VM size or region restrictions), p
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud administrators performing snapshot and backup operations
- Automated DR solutions creating scheduled cloud instance snapshots
- DevOps pipelines creating and deleting instances as part of CI/CD
- Authorized infrastructure scaling or migration events
Other platforms for T1578.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure Quota Increase Request via Azure CLI
Expected signal: AzureActivity log entry with OperationNameValue='MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE', ActivityStatusValue='Succeeded', CallerIpAddress matching the machine running the command, Claims.upn matching the authenticated Azure CLI user.
- Test 2Delete Azure Policy Assignment via Azure CLI
Expected signal: Two AzureActivity entries: first with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' (creation), second with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' (deletion). Both with ActivityStatusValue='Succeeded'. The DELETE operation is the high-severity event that triggers alerting.
- Test 3Enable Unused Azure Region via Feature Registration
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER' or 'MICROSOFT.RESOURCES/PROVIDERS/REGISTER', ActivityStatusValue='Succeeded'. CallerIpAddress and Claims.upn identify the caller.
- Test 4Create Azure Policy Exemption to Bypass Security Control
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE', ActivityStatusValue='Succeeded'. The exemption category (Waiver vs Mitigated), scope, and referenced policy assignment are captured in the Properties field.
References (9)
- https://attack.mitre.org/techniques/T1578/005/
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
- https://learn.microsoft.com/en-us/rest/api/quota/quota/update
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md
Unlock Pro Content
Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.