An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1578.001 | Create Snapshot |
AC-3 | Access Enforcement | Protects | T1578.001 | Create Snapshot |
AC-5 | Separation of Duties | Protects | T1578.001 | Create Snapshot |
AC-6 | Least Privilege | Protects | T1578.001 | Create Snapshot |
CA-8 | Penetration Testing | Protects | T1578.001 | Create Snapshot |
CM-5 | Access Restrictions for Change | Protects | T1578.001 | Create Snapshot |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1578.001 | Create Snapshot |
IA-4 | Identifier Management | Protects | T1578.001 | Create Snapshot |
IA-6 | Authentication Feedback | Protects | T1578.001 | Create Snapshot |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1578.001 | Create Snapshot |
SI-4 | System Monitoring | Protects | T1578.001 | Create Snapshot |
role_based_access_control | Role Based Access Control | technique_scores | T1578.001 | Create Snapshot |
cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1578.001 | Create Snapshot |