An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.002 | Create Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.002 | Create Cloud Instance |
Comments
This diagnostic statement protects against Create Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1578.002 | Create Cloud Instance | |
| IA-06 | Authentication Feedback | mitigates | T1578.002 | Create Cloud Instance | |
| IA-04 | Identifier Management | mitigates | T1578.002 | Create Cloud Instance | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1578.002 | Create Cloud Instance | |
| CM-02 | Baseline Configuration | mitigates | T1578.002 | Create Cloud Instance | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1578.002 | Create Cloud Instance | |
| SI-04 | System Monitoring | mitigates | T1578.002 | Create Cloud Instance | |
| AC-02 | Account Management | mitigates | T1578.002 | Create Cloud Instance | |
| AC-03 | Access Enforcement | mitigates | T1578.002 | Create Cloud Instance | |
| AC-05 | Separation of Duties | mitigates | T1578.002 | Create Cloud Instance | |
| AC-06 | Least Privilege | mitigates | T1578.002 | Create Cloud Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578.002 | Create Cloud Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1578.002 | Create Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1578.002 | Create Cloud Instance |
Comments
This control can identify anomalous admin activity.
References
|