T1578.001SubTechniquedefense-evasionagent-callable

T1578.001Create Snapshot

Sub-technique of T1578

Platforms: IaaS

ATT&CK version: 14.1

What it is

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1578/001
  2. https://content.fireeye.com/m-trends/rpt-m-trends-2020
  3. https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
  4. https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
  5. https://cloud.google.com/logging/docs/audit#admin-activity
  6. https://cloud.google.com/compute/docs/instances/create-start-instance#api_2
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.