1. Home
  2. ATT&CK Techniques
  3. T1578
  4. T1578.002
Defense Impairment

T1578.002: Create Cloud Instance

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules...

T1578.002 · Sub-technique ·1 platforms ·2 groups

Description

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

Platforms

IaaS

Mitigations (2)

AuditM1047

Routinely check user permissions to ensure only the expected users have the capability to create new instances.

User Account ManagementM1018

Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

Threat Groups (2)

IDGroupContext
G1004LAPSUS$[LAPSUS$](https://attack.mitre.org/groups/G1004) has created new virtual machines within the target's cloud environment after leveraging credential ac...
G1015Scattered Spider[Scattered Spider](https://attack.mitre.org/groups/G1015) has created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered S...

References

Frequently Asked Questions

What is T1578.002 (Create Cloud Instance)?

T1578.002 is a MITRE ATT&CK technique named 'Create Cloud Instance'. It belongs to the Defense Impairment tactic(s). An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules...

How can T1578.002 be detected?

Detection of T1578.002 (Create Cloud Instance) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1578.002?

There are 2 documented mitigations for T1578.002. Key mitigations include: Audit, User Account Management.

Which threat groups use T1578.002?

Known threat groups using T1578.002 include: LAPSUS$, Scattered Spider.