T1578.002: Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vsphere_suspicious_user_activity: PT-CR-513: Cloning_critical_VM: A security-critical virtual machine is cloned
vsphere_suspicious_user_activity: PT-CR-516: Mass_cloning_critical_VM: Multiple security-critical virtual machines are cloned
yandex_cloud: PT-CR-1251: Yandex_Cloud_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected
yandex_cloud: PT-CR-1257: Yandex_Cloud_Kubernetes_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected
yandex_cloud: PT-CR-1260: Yandex_Cloud_Kubernetes_Nodes_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous setting of a cluster node group is detected
yandex_cloud: PT-CR-815: Yandex_Cloud_Cluster_Creation_By_Not_Admin: A user who is not on the administrator list created a cluster
yandex_cloud: PT-CR-826: Yandex_Cloud_Virtual_Machine_With_Image_ID_From_Marketplace_Creation: A virtual machine with an image ID from Marketplace is created
yandex_cloud: PT-CR-1253: Yandex_Cloud_Cluster_Without_Security_Group_Creation: A cluster is created without using security groups
yandex_cloud: PT-CR-1254: Yandex_Cloud_Gitlab_Instance_Creation: A user created a GitLab instance
yandex_cloud: PT-CR-1258: Yandex_Cloud_Kubernetes_Cluster_Without_Security_Group_Creation: A cluster is created without using security groups
yandex_cloud: PT-CR-1261: Yandex_Cloud_LoadBalancer_Without_Security_Group_Creation: An application load balancer is created without using security groups
yandex_cloud: PT-CR-1269: Yandex_Cloud_Virtual_Machine_Without_Security_Group_Creation: A virtual machine is created without using security groups
vk_cloud: PT-CR-2290: VK_Cloud_VM_Create_Operation_By_Suspicious_User: A user who is not on the allowed users list created a virtual machine, which may indicate an attacker's attempt to prepare the environment for further attacks
vk_cloud: PT-CR-2296: VK_Cloud_Image_From_Marketplace_Creation: A user created or used an image from Marketplace to create a virtual machine, which may indicate an attacker's attempt to use an image version containing vulnerabilities
vk_cloud: PT-CR-2306: VK_Cloud_New_VM_from_Critical_Objects: A user created a virtual machine from a copy of a critical object in VK Cloud. Such operations allow attackers to access data stored on critical objects outside of the area protected by security systems and hide the evidence of their activity. In addition, attackers may try to pass off their virtual machine as a legitimate device.
vk_cloud: PT-CR-2307: VK_Cloud_Critical_Objects_Clone: Cloning and creating snapshots and backups of disks attached to critical virtual machines in VK Cloud.\nAttackers can use copies of critical objects to access the data stored on them, create their own virtual machines outside of the area protected by security systems, and hide the evidence of their activity. The obtained data can then be used to further compromise the system.
Detection
ID | DS0030 | Data source and component | Instance: Instance Metadata | Description | Periodically baseline instances to identify malicious modifications or additions. |
---|
ID | DS0030 | Data source and component | Instance: Instance Creation | Description | The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM. |
---|
Mitigation
ID | M1047 | Name | Audit | Description | Routinely check user permissions to ensure only the expected users have the capability to create new instances. |
---|
ID | M1018 | Name | User Account Management | Description | Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
---|