Skip to content

Hide Navigation Hide TOC

Instance Modification (45d0ff14-b9c4-41f5-8603-156657c20b75)

Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:

  • AWS: instance modifications include API actions like ModifyInstanceAttribute, ModifyInstanceMetadataOptions, or RebootInstances.
  • Azure: modifications can be tracked through operations like Microsoft.Compute/virtualMachines/write.
  • GCP: instance modification events include operations like instances.setMetadata, instances.addResourcePolicies, or instances.resize.

Data Collection Measures:

  • AWS CloudTrail: Log Location: Stored in S3 or forwarded to CloudWatch.
  • Azure Activity Logs: Log Location: Accessible via Azure Monitor or exported to a storage account.
  • GCP Audit Logs: Log Location: Logs Explorer or BigQuery.
Cluster A Galaxy A Cluster B Galaxy B Level
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Instance Modification (45d0ff14-b9c4-41f5-8603-156657c20b75) mitre-data-component 1
Instance Modification (45d0ff14-b9c4-41f5-8603-156657c20b75) mitre-data-component Revert Cloud Instance - T1578.004 (0708ae90-d0eb-4938-9a76-d0fc94f6eec1) Attack Pattern 1
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Revert Cloud Instance - T1578.004 (0708ae90-d0eb-4938-9a76-d0fc94f6eec1) Attack Pattern 2