MITRE ATT&CK / T1578.001
T1578.001
Create Snapshot
Description
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
Platforms
Mitigations
- M1047 — Audit
- M1018 — User Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →