- Tactics
- defense-impairment
- Platforms
- IaaS
- Reference
- attack.mitre.org/techniques/T1578.002
Description
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the defense-impairment tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1112 — Modify Registry
- T1207 — Rogue Domain Controller
- T1222 — File and Directory Permissions Modification
- T1484 — Domain or Tenant Policy Modification
- T1553 — Subvert Trust Controls
- T1556 — Modify Authentication Process
- T1578 — Modify Cloud Compute Infrastructure
- T1599 — Network Boundary Bridging
- T1600 — Weaken Encryption
- T1601 — Modify System Image
- T1647 — Plist File Modification
- T1666 — Modify Cloud Resource Hierarchy