T1578.001 Create Snapshot
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.1
Item | Value |
---|---|
ID | T1578.001 |
Sub-techniques | T1578.001, T1578.002, T1578.003, T1578.004 |
Tactics | TA0005 |
Platforms | IaaS |
Permissions required | User |
Version | 1.1 |
Created | 09 June 2020 |
Last Modified | 08 March 2021 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups. |
M1018 | User Account Management | Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.1 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0020 | Snapshot | Snapshot Creation |
References
-
Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. ↩↩
-
Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020. ↩
-
Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020. ↩
-
Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020. ↩