Skip to content

DET0423 Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot

Item Value
ID DET0423
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1578.001 (Create Snapshot)

Analytics

IaaS

AN1187

Detection focuses on correlating snapshot creation events with subsequent instance creation and mounting activities. From a defender perspective, suspicious sequences include snapshot creation by unexpected or newly created IAM users, snapshots created from sensitive volumes without preceding change-control activity, or snapshots immediately followed by mounting to unauthorized instances. Cross-referencing with user behavior, IP geolocation, and automation context helps distinguish benign backup operations from adversary-driven snapshot exploitation.

Log Sources
Data Component Name Channel
Snapshot Creation (DC0057) AWS:CloudTrail CreateSnapshot
Snapshot Metadata (DC0062) AWS:CloudTrail DescribeSnapshots
Mutable Elements
Field Description
UserContext IAM user, service account, or role performing snapshot creation. Tuned to allowlist known backup automation services.
TimeWindow Frequency of snapshot creation in a defined period. Adjusted for environments with frequent automated backups.
GeoLocation Unusual regions or IPs from which snapshot creation API calls originate. Helps identify cross-region snapshot abuse.
VolumeSensitivity Tagging or classification of volumes being snapshotted. Tuned to prioritize alerts when sensitive volumes are copied.