Instance

A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers[1][2]

ID: DS0030
Platform: IaaS
Collection Layer: Cloud Control Plane
Version: 1.0
Created: 20 October 2021
Last Modified: 20 October 2021

Data Components

Instance: Instance Creation

Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)

Instance: Instance Creation

Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5]

.002 Create Cloud Instance

The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5]

Enterprise T1535 Unused/Unsupported Cloud Regions

Monitor system logs to review instance activities occurring across all cloud environments and regions.

Enterprise T1204 User Execution

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.003 Malicious Image

Monitor for newly constructed instances that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.

Instance: Instance Deletion

Removal of an instance (ex: instance.delete within GCP Audit Logs)

Instance: Instance Deletion

Removal of an instance (ex: instance.delete within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of an instance (ex: instance.delete within GCP Audit Logs)

Enterprise T1578 Modify Cloud Compute Infrastructure

The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.

In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5]

.003 Delete Cloud Instance

The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.

In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5]

Instance: Instance Enumeration

An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)

Instance: Instance Enumeration

An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to cloud instance enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Instance: Instance Metadata

Contextual data about an instance and activity around it such as name, type, or status

Instance: Instance Metadata

Contextual data about an instance and activity around it such as name, type, or status

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Periodically baseline instances to identify malicious modifications or additions.

.002 Create Cloud Instance

Periodically baseline instances to identify malicious modifications or additions.

.003 Delete Cloud Instance

Periodically baseline instances to identify malicious modifications or additions.

.004 Revert Cloud Instance

Periodically baseline instances to identify malicious modifications or additions.

Enterprise T1535 Unused/Unsupported Cloud Regions

Monitor and consider configuring alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.

Instance: Instance Modification

Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)

Instance: Instance Modification

Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

.004 Revert Cloud Instance

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Instance: Instance Start

Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

Instance: Instance Start

Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

.004 Revert Cloud Instance

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Enterprise T1204 User Execution

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

.003 Malicious Image

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

Instance: Instance Stop

Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)

Instance: Instance Stop

Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

.004 Revert Cloud Instance

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

References