1. Home
  2. Techniques
  3. Enterprise
  4. Modify Cloud Compute Infrastructure
  5. Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Cloud Instance

ID Name
T1578.001 Create Snapshot
T1578.002 Create Cloud Instance
T1578.003 Delete Cloud Instance
T1578.004 Revert Cloud Instance
T1578.005 Modify Cloud Compute Configurations

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.[1]

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

ID: T1578.002
Sub-technique of:  T1578
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Arun Seelagan, CISA
Version: 1.2
Created: 14 May 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[2]
G1004 LAPSUS$

LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.[3]

G1015 Scattered Spider

Scattered Spider has created Amazon EC2 instances within the victim's environment.[4]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check user permissions to ensure only the expected users have the capability to create new instances.
M1018 User Account Management

Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0449 Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance AN1242

Detection focuses on abnormal or unauthorized cloud instance creation events. From a defender’s perspective, suspicious behavior includes VM/instance creation by rarely used or newly created accounts, creation events from unusual geolocations, or rapid sequences of snapshot creation followed by instance creation and mounting. Unexpected network or IAM policy changes applied to new instances can indicate adversarial use rather than legitimate provisioning.

References

  1. Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
  2. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  1. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  2. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.