An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1578.002 | Create Cloud Instance | |
| AC-3 | Access Enforcement | Protects | T1578.002 | Create Cloud Instance | |
| AC-5 | Separation of Duties | Protects | T1578.002 | Create Cloud Instance | |
| AC-6 | Least Privilege | Protects | T1578.002 | Create Cloud Instance | |
| CA-8 | Penetration Testing | Protects | T1578.002 | Create Cloud Instance | |
| CM-5 | Access Restrictions for Change | Protects | T1578.002 | Create Cloud Instance | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1578.002 | Create Cloud Instance | |
| IA-4 | Identifier Management | Protects | T1578.002 | Create Cloud Instance | |
| IA-6 | Authentication Feedback | Protects | T1578.002 | Create Cloud Instance | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1578.002 | Create Cloud Instance | |
| SI-4 | System Monitoring | Protects | T1578.002 | Create Cloud Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| role_based_access_control | Role Based Access Control | technique_scores | T1578.002 | Create Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1578.002 | Create Cloud Instance |
Comments
This control can identify anomalous admin activity.
References
|