An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1578.001 | Create Snapshot |
AC-03 | Access Enforcement | Protects | T1578.001 | Create Snapshot |
AC-05 | Separation of Duties | Protects | T1578.001 | Create Snapshot |
AC-06 | Least Privilege | Protects | T1578.001 | Create Snapshot |
CA-08 | Penetration Testing | Protects | T1578.001 | Create Snapshot |
CM-05 | Access Restrictions for Change | Protects | T1578.001 | Create Snapshot |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1578.001 | Create Snapshot |
IA-04 | Identifier Management | Protects | T1578.001 | Create Snapshot |
IA-06 | Authentication Feedback | Protects | T1578.001 | Create Snapshot |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1578.001 | Create Snapshot |
SI-04 | System Monitoring | Protects | T1578.001 | Create Snapshot |