| ID | Name |
|---|---|
| T1578.001 | Create Snapshot |
| T1578.002 | Create Cloud Instance |
| T1578.003 | Delete Cloud Instance |
| T1578.004 | Revert Cloud Instance |
| T1578.005 | Modify Cloud Compute Configurations |
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.[1]
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
| ID | Name | Description |
|---|---|---|
| C0027 | C0027 |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[2] |
| G1004 | LAPSUS$ |
LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.[3] |
| G1015 | Scattered Spider |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[2] Scattered Spider has also created Amazon EC2 instances within the victim's environment.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely check user permissions to ensure only the expected users have the capability to create new instances. |
| M1018 | User Account Management |
Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0030 | Instance | Instance Creation |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[5] [6] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[7] Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent modifications
|
| Instance Metadata |
Periodically baseline instances to identify malicious modifications or additions. |