An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.001 | Create Snapshot |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.001 | Create Snapshot |
Comments
This diagnostic statement protects against Create Snapshot through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1578.001 | Create Snapshot | |
| IA-06 | Authentication Feedback | mitigates | T1578.001 | Create Snapshot | |
| IA-04 | Identifier Management | mitigates | T1578.001 | Create Snapshot | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1578.001 | Create Snapshot | |
| CM-02 | Baseline Configuration | mitigates | T1578.001 | Create Snapshot | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1578.001 | Create Snapshot | |
| SI-04 | System Monitoring | mitigates | T1578.001 | Create Snapshot | |
| AC-02 | Account Management | mitigates | T1578.001 | Create Snapshot | |
| AC-03 | Access Enforcement | mitigates | T1578.001 | Create Snapshot | |
| AC-05 | Separation of Duties | mitigates | T1578.001 | Create Snapshot | |
| AC-06 | Least Privilege | mitigates | T1578.001 | Create Snapshot |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578.001 | Create Snapshot |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1578.001 | Create Snapshot |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1578.001 | Create Snapshot |
Comments
This control can identify anomalous admin activity.
References
|