The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:
instance.insert action recorded.Data Collection Measures:
The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:
instance.insert action recorded.Data Collection Measures:
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5] |
|
| .002 | Create Cloud Instance |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5] Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent modifications
|
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Monitor system logs to review instance activities occurring across all cloud environments and regions. |
|
| Enterprise | T1204 | User Execution |
Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
| .003 | Malicious Image |
Monitor for newly constructed instances that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. |
||
Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:
TerminateInstances API call, which is recorded in CloudTrail logs.Microsoft.Compute/virtualMachines/delete operation.*Data Collection Measures:
Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:
TerminateInstances API call, which is recorded in CloudTrail logs.Microsoft.Compute/virtualMachines/delete operation.*Data Collection Measures:
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a virtual machine or database instance (ex: |
|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5] |
|
| .003 | Delete Cloud Instance |
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5] Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent deletions
|
||
The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples:
DescribeInstances API call, which retrieves information about running or stopped EC2 instances.Microsoft.Compute/virtualMachines/read operation.instance.list operation within GCP Audit Logs.Data Collection Measures:
The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples:
DescribeInstances API call, which retrieves information about running or stopped EC2 instances.Microsoft.Compute/virtualMachines/read operation.instance.list operation within GCP Audit Logs.Data Collection Measures:
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to cloud instance enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about an instance and activity around it such as name, type, or status
Contextual data about an instance and activity around it such as name, type, or status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline instances to identify malicious modifications or additions. |
|
| .002 | Create Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| .003 | Delete Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| .004 | Revert Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Monitor and consider configuring alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold. |
|
Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:
ModifyInstanceAttribute, ModifyInstanceMetadataOptions, or RebootInstances.Microsoft.Compute/virtualMachines/write.instances.setMetadata, instances.addResourcePolicies, or instances.resize.Data Collection Measures:
Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:
ModifyInstanceAttribute, ModifyInstanceMetadataOptions, or RebootInstances.Microsoft.Compute/virtualMachines/write.instances.setMetadata, instances.addResourcePolicies, or instances.resize.Data Collection Measures:
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:
instance.start API activity.StartInstances in AWS CloudTrail for EC2 instances.Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.Data Collection Measures:
The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:
instance.start API activity.StartInstances in AWS CloudTrail for EC2 instances.Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.Data Collection Measures:
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Enterprise | T1204 | User Execution |
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
|
| .003 | Malicious Image |
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
||
The deactivation or shutdown of a virtual machine instance within a cloud infrastructure. This action typically involves stopping a running instance, which halts its operation and releases certain associated resources, such as CPU and memory. Examples:
instance.stop events recorded in GCP Audit Logs indicate the deactivation of an instance.StopInstances actions in AWS CloudTrail indicate EC2 instances being stopped.Microsoft.Compute/virtualMachines/deallocate or stop events in Azure Activity Logs represent a virtual machine being stopped or deallocated.The deactivation or shutdown of a virtual machine instance within a cloud infrastructure. This action typically involves stopping a running instance, which halts its operation and releases certain associated resources, such as CPU and memory. Examples:
instance.stop events recorded in GCP Audit Logs indicate the deactivation of an instance.StopInstances actions in AWS CloudTrail indicate EC2 instances being stopped.Microsoft.Compute/virtualMachines/deallocate or stop events in Azure Activity Logs represent a virtual machine being stopped or deallocated.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||