Instance Creation

The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:

AWS: creating an EC2 instance using RunInstances API calls.
Azure, creating a VM through the Azure Resource Manager (ARM).
GCP, an instance.insert action recorded.

Data Collection Measures:

AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch.
Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account.
GCP Audit Logs: Logs Explorer or BigQuery.

ID: DC0076

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
AWS:CloudTrail	RunInstances,CreateImage
azure:activity	Microsoft.Compute/virtualMachines/write: imageReference publisher NOT IN allowlist OR plan is new/unknown
azure:activity	MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE
gcp:audit	compute.instances.insert: sourceImage not in approved projects OR has external image link
gcp:audit	compute.instances.insert

Detection Strategy

ID	Name	Technique Detected
DET0449	Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance	T1578.002
DET0248	User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)	T1204.003
DET0478	User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)	T1204