1. Home
  2. Data Components
  3. Instance Start

Instance Start

The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:

  • Google Cloud Platform (GCP): Starting an instance through instance.start API activity.
  • AWS: Logging of StartInstances in AWS CloudTrail for EC2 instances.
  • Azure: Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.

Data Collection Measures:

  • Google Cloud Platform: Enable GCP Audit Logs for Compute Engine.
    • Log Event: Look for instance.start entries in Cloud Logging.
  • Amazon Web Services (AWS): AWS CloudTrail.
    • Log Event: Search for StartInstances events associated with EC2.
  • Microsoft Azure: Azure Activity Logs.
    • Log Event: Filter for Microsoft.Compute/virtualMachines/start operations.
ID: DC0080
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
AWS:CloudTrail StartInstances
AWS:CloudTrail StartInstances: Instance starts from suspicious AMI or with userData present
AWS:CloudTrail RunInstances
CloudTrail:EC2 RunInstances
CloudTrail:RunInstances RunInstances
CloudTrail:RunInstances RunInstances: AMI not in allowlist OR AMI owner != enterprise owner/account

Detection Strategy

ID Name Technique Detected
DET0028 Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes T1496.002
DET0247 Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS) T1535
DET0308 Detection Strategy for Modify Cloud Compute Infrastructure T1578
DET0449 Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance T1578.002
DET0337 Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance T1578.004
DET0334 Detection Strategy for T1525 – Implant Internal Image T1525
DET0208 Endpoint Resource Saturation and Crash Pattern Detection Across Platforms T1499
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking T1496.001
DET0267 Resource Hijacking Detection Strategy T1496
DET0248 User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) T1204.003
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204