Create Cloud Instance (T1578.002)

Information

• Name: Create Cloud Instance

• ID: T1578.002

• Tactics:

• Technique:

Introduction

Modify Permissions (T1578.002) is a sub-technique within the MITRE ATT&CK framework under the broader category of "Modify Cloud Compute Infrastructure" (T1578). It refers specifically to adversaries altering permissions and access controls on cloud resources, environments, or infrastructure components. Attackers leverage this method to enable persistent access, escalate privileges, or disrupt legitimate user access. By modifying permissions, attackers ensure continued access and limit defenders' ability to remediate or detect unauthorized activities.

Deep Dive Into Technique

Adversaries executing this sub-technique typically focus on modifying permissions and access control lists (ACLs) within cloud platforms or cloud infrastructure management systems. These modifications can involve:

• Altering identity and access management (IAM) policies to grant unauthorized users elevated privileges or administrative rights.

• Changing resource-based policies to allow external or malicious entities access to sensitive data or resources.

• Adjusting permissions on cloud storage buckets, virtual machines, containers, or cloud functions to facilitate persistent access or data exfiltration.

• Removing or downgrading permissions of legitimate users or security groups, hindering response and remediation efforts.

Technical execution methods include:

• Using compromised administrative credentials or API keys to modify IAM roles and policies.

• Employing automated scripts or tools to systematically alter permissions across multiple cloud resources quickly.

• Leveraging cloud provider-specific command-line interfaces (CLIs), SDKs, or APIs to directly manipulate permissions.

• Exploiting misconfigured security settings or overly permissive IAM roles to escalate privileges and make unauthorized permission changes.

Real-world procedures involve attackers initially gaining access via compromised credentials, phishing attacks, or exploiting vulnerabilities, followed by enumeration of existing permissions and roles. Attackers then methodically alter permissions to consolidate control, ensure persistence, and limit defenders' visibility and response capabilities.

When this Technique is Usually Used

This sub-technique is typically observed in various stages of an attack lifecycle, including:

• Privilege Escalation: Attackers modify permissions to gain higher-level administrative access or broader privileges within the cloud environment.

• Persistence: Attackers alter permissions to maintain persistent access, ensuring continued control even after initial compromise is detected or remediated.

• Defense Evasion: Attackers adjust permissions to disable or limit security monitoring tools or prevent legitimate administrators from detecting their activities.

• Collection and Exfiltration: Attackers modify resource permissions (e.g., storage buckets, databases) to facilitate data collection and exfiltration without triggering alerts.

• Impact and Denial of Service: Attackers alter permissions to deny legitimate users access to critical cloud resources, causing disruption or downtime.

How this Technique is Usually Detected

Detection of Modify Permissions (T1578.002) involves monitoring cloud environments for anomalous permission changes, suspicious IAM policy updates, or unauthorized access control adjustments. Common detection methods and tools include:

• Cloud Audit Logging: Continuous monitoring and analysis of cloud provider audit logs (e.g., AWS CloudTrail, Azure Activity Logs, GCP Audit Logs) to detect unexpected or unauthorized IAM policy changes.

• Security Information and Event Management (SIEM): Aggregating audit logs and cloud events into SIEM systems to detect anomalous permission changes through correlation rules and anomaly detection.

• Cloud Security Posture Management (CSPM): Automated tools that continuously assess and alert on permission misconfigurations, overly permissive IAM roles, or unauthorized access control modifications.

• Behavioral Analytics and Anomaly Detection: Machine learning-driven analytics tools that identify deviations from normal permission management behaviors, such as sudden privilege escalations or unusual permission modifications.

• Indicators of Compromise (IoCs):

  • Unusual IAM policy modifications granting administrative privileges to unknown or suspicious accounts.

  • Rapid, bulk changes to ACLs or permissions across multiple cloud resources.

  • Unexpected removal or demotion of permissions for legitimate administrative accounts.

  • Unauthorized external accounts added to trusted roles or security groups.

Why it is Important to Detect This Technique

Early detection of Modify Permissions (T1578.002) is crucial due to its significant impacts on cloud environments, including:

• Privilege Escalation Risk: Unauthorized permission modifications can lead to attackers gaining extensive administrative control, enabling further compromise of sensitive resources, data, and infrastructure.

• Persistent Access: Attackers use permission changes to maintain persistent footholds, complicating remediation efforts and increasing dwell time within compromised environments.

• Data Breach and Exfiltration: Altered permissions can grant attackers access to confidential data, intellectual property, or personally identifiable information (PII), leading to data breaches and compliance violations.

• Operational Disruption: Attackers can deny legitimate users or administrators access to critical cloud resources, resulting in business disruption, downtime, and financial losses.

• Reduced Visibility and Response: Attackers may degrade security monitoring capabilities by revoking permissions from security tools or legitimate administrators, severely limiting defenders' ability to detect and respond effectively.

Timely detection and response significantly reduce these risks, minimize potential damage, and enable rapid containment and remediation.

Examples

Real-world examples and scenarios involving Modify Permissions (T1578.002) include:

• Capital One Data Breach (2019):

  • Attack Scenario: Attacker exploited misconfigured IAM roles and permissions in AWS, escalating privileges to access sensitive customer data stored in Amazon S3 buckets.

  • Tools Used: AWS CLI, customized scripts, exploitation of overly permissive IAM roles.

  • Impact: Exposure of personal information for approximately 100 million customers, significant financial and reputational damage.

• Tesla Kubernetes Infrastructure Breach (2018):

  • Attack Scenario: Attackers gained unauthorized access to Tesla's Kubernetes administrative console, modified permissions to deploy malicious cryptocurrency mining scripts.

  • Tools Used: Kubernetes administrative dashboard, cloud APIs, unauthorized IAM permission modifications.

  • Impact: Unauthorized resource usage, increased operational costs, and potential risk to proprietary data and intellectual property.

• TeamTNT Cloud Attacks (2020-2021):

  • Attack Scenario: Attackers targeted cloud environments, modifying permissions, and IAM policies to maintain persistence, disable security tools, and deploy cryptocurrency mining malware.

  • Tools Used: Custom scripting, cloud provider CLIs/APIs, automated IAM policy modifications.

  • Impact: Unauthorized resource consumption, financial loss due to increased billing, degraded security posture, and prolonged attacker persistence.

These examples highlight the critical importance of monitoring and detecting unauthorized permission modifications within cloud environments to prevent significant damage, data loss, and operational disruption.