An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1578.001 | Create Snapshot |
| AC-3 | Access Enforcement | Protects | T1578.001 | Create Snapshot |
| AC-5 | Separation of Duties | Protects | T1578.001 | Create Snapshot |
| AC-6 | Least Privilege | Protects | T1578.001 | Create Snapshot |
| CA-8 | Penetration Testing | Protects | T1578.001 | Create Snapshot |
| CM-5 | Access Restrictions for Change | Protects | T1578.001 | Create Snapshot |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1578.001 | Create Snapshot |
| IA-4 | Identifier Management | Protects | T1578.001 | Create Snapshot |
| IA-6 | Authentication Feedback | Protects | T1578.001 | Create Snapshot |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1578.001 | Create Snapshot |
| SI-4 | System Monitoring | Protects | T1578.001 | Create Snapshot |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578.001 | Modify Cloud Computer Infrastructure: Create Snapshot |