1. Home
  2. ATT&CK Techniques
  3. T1578
  4. T1578.001
Defense Impairment

T1578.001: Create Snapshot

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), vi...

T1578.001 · Sub-technique ·1 platforms

Description

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)

Platforms

IaaS

Mitigations (2)

AuditM1047

Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.

User Account ManagementM1018

Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

Associated Software (1)

IDNameTypeContext
S1091PacuTool[Pacu](https://attack.mitre.org/software/S1091) can create snapshots of EBS volumes and RDS instances.(Citation: GitHub Pacu)

References

Frequently Asked Questions

What is T1578.001 (Create Snapshot)?

T1578.001 is a MITRE ATT&CK technique named 'Create Snapshot'. It belongs to the Defense Impairment tactic(s). An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), vi...

How can T1578.001 be detected?

Detection of T1578.001 (Create Snapshot) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1578.001?

There are 2 documented mitigations for T1578.001. Key mitigations include: Audit, User Account Management.

Which threat groups use T1578.001?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.