An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1578.001 | Create Snapshot | |
| AC-3 | Access Enforcement | Protects | T1578.001 | Create Snapshot | |
| AC-5 | Separation of Duties | Protects | T1578.001 | Create Snapshot | |
| AC-6 | Least Privilege | Protects | T1578.001 | Create Snapshot | |
| CA-8 | Penetration Testing | Protects | T1578.001 | Create Snapshot | |
| CM-5 | Access Restrictions for Change | Protects | T1578.001 | Create Snapshot | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1578.001 | Create Snapshot | |
| IA-4 | Identifier Management | Protects | T1578.001 | Create Snapshot | |
| IA-6 | Authentication Feedback | Protects | T1578.001 | Create Snapshot | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1578.001 | Create Snapshot | |
| SI-4 | System Monitoring | Protects | T1578.001 | Create Snapshot |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| role_based_access_control | Role Based Access Control | technique_scores | T1578.001 | Create Snapshot |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1578.001 | Create Snapshot |
Comments
This control can identify anomalous admin activity.
References
|