T1578.001 Create Snapshot Mappings

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1578.001 Create Snapshot
AC-3 Access Enforcement Protects T1578.001 Create Snapshot
AC-5 Separation of Duties Protects T1578.001 Create Snapshot
AC-6 Least Privilege Protects T1578.001 Create Snapshot
CA-8 Penetration Testing Protects T1578.001 Create Snapshot
CM-5 Access Restrictions for Change Protects T1578.001 Create Snapshot
IA-2 Identification and Authentication (organizational Users) Protects T1578.001 Create Snapshot
IA-4 Identifier Management Protects T1578.001 Create Snapshot
IA-6 Authentication Feedback Protects T1578.001 Create Snapshot
RA-5 Vulnerability Monitoring and Scanning Protects T1578.001 Create Snapshot
SI-4 System Monitoring Protects T1578.001 Create Snapshot
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.001 Modify Cloud Computer Infrastructure: Create Snapshot