T1578.002: Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
proxmox: PT-CR-2735: ProxMox_VE_Critical_VM_Container_Manipulation: A user performed an action on a critical VM or container in Proxmox. Such actions allow attackers to hide the evidence of their activity, disrupt system availability or functionality, remove security tools, extract or delete important data, embed backdoors, or perform lateral movement within a network. yandex_cloud: PT-CR-815: Yandex_Cloud_Cluster_Creation_By_Not_Admin: A user who is not on the administrator list created a cluster yandex_cloud: PT-CR-1260: Yandex_Cloud_Kubernetes_Nodes_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous setting of a cluster node group is detected yandex_cloud: PT-CR-1251: Yandex_Cloud_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected yandex_cloud: PT-CR-826: Yandex_Cloud_Virtual_Machine_With_Image_ID_From_Marketplace_Creation: A virtual machine with an image ID from Marketplace is created yandex_cloud: PT-CR-1269: Yandex_Cloud_Virtual_Machine_Without_Security_Group_Creation: A virtual machine is created without using security groups yandex_cloud: PT-CR-1254: Yandex_Cloud_Gitlab_Instance_Creation: A user created a GitLab instance yandex_cloud: PT-CR-1253: Yandex_Cloud_Cluster_Without_Security_Group_Creation: A cluster is created without using security groups yandex_cloud: PT-CR-1258: Yandex_Cloud_Kubernetes_Cluster_Without_Security_Group_Creation: A cluster is created without using security groups yandex_cloud: PT-CR-1257: Yandex_Cloud_Kubernetes_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected yandex_cloud: PT-CR-1261: Yandex_Cloud_LoadBalancer_Without_Security_Group_Creation: An application load balancer is created without using security groups vk_cloud: PT-CR-2290: VK_Cloud_VM_Create_Operation_By_Suspicious_User: A user who is not on the allowed users list created a virtual machine, which may indicate an attacker's attempt to prepare the environment for further attacks vk_cloud: PT-CR-2307: VK_Cloud_Critical_Objects_Clone: Cloning and creating snapshots and backups of disks attached to critical virtual machines in VK Cloud. Attackers can use copies of critical objects to access the data stored on them, create their own virtual machines outside of the area protected by security systems, and hide the evidence of their activity. The obtained data can then be used to further compromise the system. vk_cloud: PT-CR-2306: VK_Cloud_New_VM_From_Critical_Objects: A user created a virtual machine from a copy of a critical object in VK Cloud. Such operations allow attackers to access data stored on critical objects outside of the area protected by security systems and hide the evidence of their activity. In addition, attackers may try to pass off their virtual machine as a legitimate device. vk_cloud: PT-CR-2296: VK_Cloud_Image_From_Marketplace_Creation: A user created or used an image from Marketplace to create a virtual machine, which may indicate an attacker's attempt to use an image version containing vulnerabilities vsphere_suspicious_user_activity: PT-CR-516: Mass_Cloning_Critical_VM: Multiple security-critical virtual machines are cloned vsphere_suspicious_user_activity: PT-CR-513: Cloning_Critical_VM: A security-critical virtual machine is cloned
Detection
| ID | DS0030 | Data source and component | Instance: Instance Metadata | Description | Periodically baseline instances to identify malicious modifications or additions. |
|---|
| ID | DS0030 | Data source and component | Instance: Instance Creation | Description | The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM. |
|---|
Mitigation
| ID | M1018 | Name | User Account Management | Description | Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
|---|
| ID | M1047 | Name | Audit | Description | Routinely check user permissions to ensure only the expected users have the capability to create new instances. |
|---|