Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may create a snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect data from local system or for remote data staging. LAPSUS$ has been observed creating new virtual machines within target cloud environments after leveraging credential access to cloud assets. Scattered Spider has created Amazon EC2 instances within victim environments to establish persistence and stage exfiltrated data. This technique enables adversaries to operate in an isolated compute environment without affecting existing running instances, evading endpoint-based detection tools that only monitor known workloads.
let AzureInstanceCreate = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where ActivityStatusValue =~ "Succeeded"
| extend CloudProvider = "Azure"
| extend Actor = Caller
| extend SourceIP = CallerIpAddress
| extend InstanceIdentifier = Resource
| extend Scope = ResourceGroup
| extend AccountScope = SubscriptionId
| project TimeGenerated, CloudProvider, Actor, SourceIP, InstanceIdentifier, Scope, AccountScope, Level;
let AWSInstanceCreate = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName =~ "RunInstances"
| where isempty(ErrorCode)
| extend CloudProvider = "AWS"
| extend Actor = tostring(UserIdentityArn)
| extend SourceIP = SourceIpAddress
| extend InstanceIdentifier = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
| extend Scope = AwsRegion
| extend AccountScope = RecipientAccountId
| project TimeGenerated, CloudProvider, Actor, SourceIP, InstanceIdentifier, Scope, AccountScope;
union isfuzzy=true AzureInstanceCreate, AWSInstanceCreate
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Authorized DevOps pipelines and CI/CD systems (GitHub Actions, Azure DevOps, Jenkins) that create ephemeral compute instances for build and test workloads — typically identifiable by service principal caller identity
- Auto-scaling group events triggered by legitimate load spikes — cloud-native scaling policies routinely invoke RunInstances without human intervention
- Infrastructure-as-Code deployments (Terraform, Pulumi, Bicep, CloudFormation) run by authorized engineers during planned change windows
- Disaster recovery testing and failover drills that spin up instances in secondary regions as part of documented runbooks
- Cloud security posture management tools (Prisma Cloud, Wiz, Orca Security) that deploy scan or assessment instances into target environments
References (10)
- https://attack.mitre.org/techniques/T1578/002/
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/monitor-vm-reference
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.002/T1578.002.md
Unlock Pro Content
Get the full detection package for T1578.002 including response playbook, investigation guide, and atomic red team tests.