title: Modify Cloud Compute Infrastructure (T1578)
id: df00tech-t1578
status: experimental
description: "This detection identifies adversary attempts to modify cloud compute infrastructure components — including creating, deleting, or reverting virtual machines, snapshots, and compute configurations — to bypass access controls, evade detection, or erase forensic evidence. The KQL query monitors Azure Activity logs for anomalous compute operations such as snapshot creation from running instances, instance deletion outside approved maintenance windows, and configuration changes to security-relevant VM properties. The SPL query targets AWS CloudTrail events for equivalent actions across EC2, EBS, and related compute services. High-privilege cloud principals performing bulk or unusual compute operations are the primary focus, particularly when those operations originate from unfamiliar IP addresses or occur outside normal change windows."
references:
  - https://attack.mitre.org/techniques/T1578/
  - https://df00tech.com/detections/T1578
author: df00tech
date: 2026/03/19
tags:
  - attack.t1578
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate DevOps CI/CD pipelines creating and deleting ephemeral build VMs during automated deployment workflows
  - "Authorized disaster recovery tests involving snapshot creation, VM replication, and failover exercises"
  - "Infrastructure-as-Code tooling (Terraform, Bicep, ARM templates) running bulk creates/deletes during planned maintenance windows"
  - Cloud cost optimization scripts automatically deallocating idle VMs on a schedule
  - Security scanning tools or backup agents installing VM extensions across a fleet
level: high