Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)
Tactic: Defense Impairment · Platforms: IaaS
The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Modify Cloud Compute Infrastructure (T1578).
Overview
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.