Instance Start

The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:

Google Cloud Platform (GCP): Starting an instance through instance.start API activity.
AWS: Logging of StartInstances in AWS CloudTrail for EC2 instances.
Azure: Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.

ID: DC0080

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
AWS:CloudTrail	StartInstances
AWS:CloudTrail	RunInstances

Detection Strategy

ID	Name	Technique Detected
DET0028	Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes	T1496.002
DET0247	Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)	T1535
DET0308	Detection Strategy for Modify Cloud Compute Infrastructure	T1578
DET0449	Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance	T1578.002
DET0337	Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance	T1578.004
DET0334	Detection Strategy for T1525 – Implant Internal Image	T1525
DET0208	Endpoint Resource Saturation and Crash Pattern Detection Across Platforms	T1499
DET0540	Multi-Platform Behavioral Detection for Compute Hijacking	T1496.001
DET0267	Resource Hijacking Detection Strategy	T1496
DET0248	User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)	T1204.003
DET0478	User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)	T1204