T1578.002 Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.1
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Item | Value |
---|---|
ID | T1578.002 |
Sub-techniques | T1578.001, T1578.002, T1578.003, T1578.004 |
Tactics | TA0005 |
Platforms | IaaS |
Permissions required | User |
Version | 1.1 |
Created | 14 May 2020 |
Last Modified | 08 March 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G1004 | LAPSUS$ | LAPSUS$ has created new virtual machines within the target’s cloud environment after leveraging credential access to cloud assets.5 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Routinely check user permissions to ensure only the expected users have the capability to create new instances. |
M1018 | User Account Management | Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.1 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0030 | Instance | Instance Creation |
References
-
Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. ↩↩
-
Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020. ↩
-
Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩