Detect Create Cloud Instance in CrowdStrike LogScale
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may create a snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect data from local system or for remote data staging. LAPSUS$ has been observed creating new virtual machines within target cloud environments after leveraging credential access to cloud assets. Scattered Spider has created Amazon EC2 instances within victim environments to establish persistence and stage exfiltrated data. This technique enables adversaries to operate in an isolated compute environment without affecting existing running instances, evading endpoint-based detection tools that only monitor known workloads.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.002 Create Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/002/
LogScale Detection Query
#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
* => RiskScore := "Low";
}
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)CrowdStrike LogScale (Falcon) CQL detection for Create Cloud Instance. Detects cloud instance creation events across Azure (AzureActivity) and AWS (AWSCloudTrail) in Microsoft Sentinel. Targets successful VM/instance creation operations that could indicate adversary infr
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud administrators performing routine snapshot and backup operations
- Automated DR and backup solutions creating scheduled cloud instance snapshots
- DevOps CI/CD pipelines that create and destroy cloud instances during deployments
- Authorized cloud migration projects moving or replicating compute instances
Other platforms for T1578.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create AWS EC2 Instance via CLI
Expected signal: AWS CloudTrail: RunInstances event with eventSource=ec2.amazonaws.com, eventName=RunInstances, userIdentity block showing caller ARN and accountId, requestParameters.instancesSet containing imageId and instanceType t2.micro, responseElements.instancesSet.items[0].instanceId with the assigned instance ID. Event appears in CloudTrail within 5-15 minutes and in Microsoft Sentinel AWSCloudTrail table within 15-30 minutes depending on connector polling interval.
- Test 2Create Azure Virtual Machine via CLI
Expected signal: Azure Activity Log: Microsoft.Compute/virtualMachines/write operation with ActivityStatus=Succeeded, Caller showing the authenticated UPN or service principal object ID, CallerIpAddress of the machine running the Azure CLI, ResourceGroup=df00tech-atomic-test-rg. Also generates Microsoft.Resources/resourceGroups/write event for the preceding resource group creation. Events appear in Azure Activity Log within 5 minutes and in Microsoft Sentinel AzureActivity table within 10-15 minutes.
- Test 3Create GCP Compute Engine Instance via gcloud CLI
Expected signal: GCP Cloud Audit Log: compute.instances.insert activity log entry with principalEmail showing the authenticated caller, requestMetadata.callerIp, resource.labels.instance_id and resource.labels.zone populated. Visible in GCP Cloud Logging under GCE Audit Logs (Admin Activity). If exported to Microsoft Sentinel via GCP Pub/Sub connector: GCPAuditLogs table with MethodName=v1.compute.instances.insert and Severity=NOTICE (success).
- Test 4Snapshot-then-Create-Instance Data Staging Pattern (Mandiant M-Trends)
Expected signal: AWS CloudTrail sequence: (1) CreateVolume event with responseElements.volumeId, (2) CreateSnapshot event with requestParameters.volumeId and responseElements.snapshotId from the same userIdentity.arn, (3) RunInstances event with requestParameters.blockDeviceMapping containing the snapshotId in the Ebs block. All three events share the same userIdentity.arn and sessionContext. Entire sequence visible in CloudTrail within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1578/002/
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/monitor-vm-reference
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.002/T1578.002.md
Unlock Pro Content
Get the full detection package for T1578.002 including response playbook, investigation guide, and atomic red team tests.