T1578.002 Create Cloud Instance Mappings

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1578.002 Create Cloud Instance
AC-3 Access Enforcement Protects T1578.002 Create Cloud Instance
AC-5 Separation of Duties Protects T1578.002 Create Cloud Instance
AC-6 Least Privilege Protects T1578.002 Create Cloud Instance
CA-8 Penetration Testing Protects T1578.002 Create Cloud Instance
CM-5 Access Restrictions for Change Protects T1578.002 Create Cloud Instance
IA-2 Identification and Authentication (organizational Users) Protects T1578.002 Create Cloud Instance
IA-4 Identifier Management Protects T1578.002 Create Cloud Instance
IA-6 Authentication Feedback Protects T1578.002 Create Cloud Instance
RA-5 Vulnerability Monitoring and Scanning Protects T1578.002 Create Cloud Instance
SI-4 System Monitoring Protects T1578.002 Create Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.002 Modify Cloud Computer Infrastructure: Create Cloud Instance