T1578.002SubTechniquedefense-evasionagent-callable

T1578.002Create Cloud Instance

Sub-technique of T1578

Platforms: IaaS

ATT&CK version: 14.1

What it is

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020) Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1578/002
  2. https://content.fireeye.com/m-trends/rpt-m-trends-2020
  3. https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
  4. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
  5. https://cloud.google.com/logging/docs/audit#admin-activity
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.