T1578.001: Create Snapshot

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vk_cloud: PT-CR-2307: VK_Cloud_Critical_Objects_Clone: Cloning and creating snapshots and backups of disks attached to critical virtual machines in VK Cloud. Attackers can use copies of critical objects to access the data stored on them, create their own virtual machines outside of the area protected by security systems, and hide the evidence of their activity. The obtained data can then be used to further compromise the system. vk_cloud: PT-CR-2305: VK_Cloud_Critical_DB_Operation: An untrusted user performed an operation with a critical database in VK Cloud. Attackers can bypass protection or gain persistence in the system by changing or deleting a critical database, or creating its backup or a new user in it. These operations allow attackers to access sensitive information stored in the database and use it to further compromise the system.

Detection

ID	DS0020	Data source and component	Snapshot: Snapshot Creation	Description	The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account. In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details. In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot. It is also possible to detect the usage of the GCP API with the `sourceSnapshot` parameter pointed to `global/snapshots/[BOOT_SNAPSHOT_NAME]`.

ID	DS0020	Data source and component	Snapshot: Snapshot Metadata	Description	Periodically baseline snapshots to identify malicious modifications or additions.

ID	Data source and component	Description
DS0020	Snapshot: Snapshot Creation	The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account. In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details. In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot. It is also possible to detect the usage of the GCP API with the `sourceSnapshot` parameter pointed to `global/snapshots/[BOOT_SNAPSHOT_NAME]`.
DS0020	Snapshot: Snapshot Metadata	Periodically baseline snapshots to identify malicious modifications or additions.

Mitigation

ID	M1047	Name	Audit	Description	Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.

ID	M1018	Name	User Account Management	Description	Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

ID	Name	Description
M1047	Audit	Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.
M1018	User Account Management	Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.