DC0076 Instance Creation
| Item | Value |
|---|---|
| ID | DC0076 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | RunInstances,CreateImage |
| azure:activity | Microsoft.Compute/virtualMachines/write: imageReference publisher NOT IN allowlist OR plan is new/unknown |
| azure:activity | MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE |
| gcp:audit | compute.instances.insert: sourceImage not in approved projects OR has external image link |
| gcp:audit | compute.instances.insert |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0449 | Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance | T1578.002 |
| DET0248 | User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) | T1204.003 |
| DET0478 | User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) | T1204 |