ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Snapshot Creation

The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.

Data Collection Measures:

Cloud Platform Logs (IaaS)
- AWS CloudTrail Logs: Monitor API calls related to snapshot creation (CreateSnapshot).
- Azure Monitor Logs: Track snapshot creation (Microsoft.Compute/snapshots/write).
- Google Cloud Logging: Detect compute.disks.createSnapshot.

ID: DC0057

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
AWS:CloudTrail	CreateSnapshot
azure:activity	MICROSOFT.COMPUTE/SNAPSHOTS/WRITE
esxi:vmkernel	snapshot create/write events

Detection Strategy

ID	Name	Technique Detected
DET0573	Cross-Platform Detection of Data Transfer to Cloud Account	T1537
DET0261	Detection of Local Data Staging Prior to Exfiltration	T1074.001
DET0308	Detection Strategy for Modify Cloud Compute Infrastructure	T1578
DET0423	Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot	T1578.001