1. Home
  2. Techniques
  3. Enterprise
  4. Modify Cloud Compute Infrastructure
  5. Create Snapshot

Modify Cloud Compute Infrastructure: Create Snapshot

ID Name
T1578.001 Create Snapshot
T1578.002 Create Cloud Instance
T1578.003 Delete Cloud Instance
T1578.004 Revert Cloud Instance
T1578.005 Modify Cloud Compute Configurations

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.[1]

ID: T1578.001
Sub-technique of:  T1578
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Praetorian
Version: 1.2
Created: 09 June 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1091 Pacu

Pacu can create snapshots of EBS volumes and RDS instances.[2]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.
M1018 User Account Management

Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0423 Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot AN1187

Detection focuses on correlating snapshot creation events with subsequent instance creation and mounting activities. From a defender perspective, suspicious sequences include snapshot creation by unexpected or newly created IAM users, snapshots created from sensitive volumes without preceding change-control activity, or snapshots immediately followed by mounting to unauthorized instances. Cross-referencing with user behavior, IP geolocation, and automation context helps distinguish benign backup operations from adversary-driven snapshot exploitation.

References

  1. Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
  1. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.