Modify Cloud Compute Infrastructure: Create Snapshot (T1578.001)

Tactic: Defense Impairment · Platforms: IaaS

The interactive view maps 1 detection strategy, 2 mitigations, 1 software entry to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Modify Cloud Compute Infrastructure (T1578).

Overview

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.

Explore