DET0308: Detection Strategy for Modify Cloud Compute Infrastructure
DET0308 is a MITRE ATT&CK detection strategy for activity related to modifying cloud compute infrastructure. Its decision value is that changes to IaaS com...
Analyst context for executives and security teams
DET0308 is a MITRE ATT&CK detection strategy for activity related to modifying cloud compute infrastructure. Its decision value is that changes to IaaS compute resources—such as instances, virtual machines, or snapshots—can affect whether defenses still see, restrict, or protect the environment. For leaders, this is less about a single alert and more about whether cloud change monitoring can distinguish authorized operations from changes that may weaken visibility or access controls.
Executive priority
Prioritize this as a cloud control-validation issue tied to resilience and auditability. Security leaders should ask whether the organization can prove who changed compute infrastructure, what changed, when it changed, and whether the change impaired defensive controls. Because the related ATT&CK technique is associated with defense impairment in IaaS, this detection area is important for incident decision-making, cloud governance, and compliance evidence around privileged cloud activity and infrastructure change control.
Technical view
The supplied ATT&CK object does not include an official detection analytic or platform list, but it detects T1578, Modify Cloud Compute Infrastructure, which is described for IaaS and defense-impairment. SOC, cloud security, and IR teams should validate monitoring around creation, deletion, or modification of compute instances, virtual machines, snapshots, and related compute components. Detection engineering should focus on correlating infrastructure-change events with identity context, privilege level, change tickets or deployment activity, and subsequent loss or alteration of defensive visibility.
Likely telemetry
- Cloud control-plane audit logs for compute infrastructure changes
- Identity and access management logs showing the principal, role, session, and source of the change
- Compute instance, virtual machine, and snapshot inventory/change records
- Cloud configuration or asset-management history
- Change-management and deployment records for authorized infrastructure operations
Detection direction
- Validate that IaaS compute create, delete, and modify events are collected centrally and retained long enough for investigation.
- Tune detections around unusual or unauthorized compute infrastructure changes, especially those performed by privileged identities or outside expected deployment workflows.
- Correlate compute changes with identity context and approved change records to reduce false positives from normal cloud operations.
- Look for blind spots where snapshots, temporary instances, or modified virtual machines are not covered by inventory, logging, or security tooling.
- Because ATT&CK does not provide official detection logic for this object, treat DET0308 as a coverage objective rather than a ready-to-run analytic.
Mitigation priorities
- Establish clear ownership and change-control expectations for IaaS compute infrastructure.
- Limit who can create, delete, or modify compute resources and snapshots based on least privilege.
- Ensure cloud audit logging and asset inventory are enabled for compute infrastructure and are protected from unauthorized alteration.
- Use governance processes to compare observed compute changes against approved deployments and maintenance activity.
- During incidents, review recent compute infrastructure changes as potential defense-impairment activity before relying on endpoint or workload visibility as complete.
Analyst notes and limits
This take is based on DET0308 and its relationship to T1578, Modify Cloud Compute Infrastructure. The key operational value is validating whether cloud compute changes are visible, attributable, and explainable. Local baselines are essential because legitimate cloud engineering, autoscaling, maintenance, and deployment activity can generate similar change patterns.
The detection strategy object has no official description, no official detection text, no tactics, and no platforms specified. The only platform and tactic context used here comes from the related technique T1578: IaaS and defense-impairment. No active exploitation, actor attribution, or guaranteed detection coverage is implied.
Detection Strategy for Modify Cloud Compute Infrastructure
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure | This object detects Modify Cloud Compute Infrastructure. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57b1d53b2d4c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0308Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.