Detect Create Cloud Instance in Microsoft Sentinel
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may create a snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect data from local system or for remote data staging. LAPSUS$ has been observed creating new virtual machines within target cloud environments after leveraging credential access to cloud assets. Scattered Spider has created Amazon EC2 instances within victim environments to establish persistence and stage exfiltrated data. This technique enables adversaries to operate in an isolated compute environment without affecting existing running instances, evading endpoint-based detection tools that only monitor known workloads.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.002 Create Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/002/
KQL Detection Query
let AzureInstanceCreate = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where ActivityStatusValue =~ "Succeeded"
| extend CloudProvider = "Azure"
| extend Actor = Caller
| extend SourceIP = CallerIpAddress
| extend InstanceIdentifier = Resource
| extend Scope = ResourceGroup
| extend AccountScope = SubscriptionId
| project TimeGenerated, CloudProvider, Actor, SourceIP, InstanceIdentifier, Scope, AccountScope, Level;
let AWSInstanceCreate = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName =~ "RunInstances"
| where isempty(ErrorCode)
| extend CloudProvider = "AWS"
| extend Actor = tostring(UserIdentityArn)
| extend SourceIP = SourceIpAddress
| extend InstanceIdentifier = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
| extend Scope = AwsRegion
| extend AccountScope = RecipientAccountId
| project TimeGenerated, CloudProvider, Actor, SourceIP, InstanceIdentifier, Scope, AccountScope;
union isfuzzy=true AzureInstanceCreate, AWSInstanceCreate
| sort by TimeGenerated descDetects cloud instance creation events across Azure (AzureActivity) and AWS (AWSCloudTrail) in Microsoft Sentinel. Targets successful VM/instance creation operations that could indicate adversary infrastructure staging, defense evasion via isolated compute environments, or snapshot-based data exfiltration setup. Uses isfuzzy=true union to gracefully handle environments with only one cloud connector active. Requires AWS CloudTrail connector and/or Azure Activity Logs connected to Microsoft Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- Authorized DevOps pipelines and CI/CD systems (GitHub Actions, Azure DevOps, Jenkins) that create ephemeral compute instances for build and test workloads — typically identifiable by service principal caller identity
- Auto-scaling group events triggered by legitimate load spikes — cloud-native scaling policies routinely invoke RunInstances without human intervention
- Infrastructure-as-Code deployments (Terraform, Pulumi, Bicep, CloudFormation) run by authorized engineers during planned change windows
- Disaster recovery testing and failover drills that spin up instances in secondary regions as part of documented runbooks
- Cloud security posture management tools (Prisma Cloud, Wiz, Orca Security) that deploy scan or assessment instances into target environments
Other platforms for T1578.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create AWS EC2 Instance via CLI
Expected signal: AWS CloudTrail: RunInstances event with eventSource=ec2.amazonaws.com, eventName=RunInstances, userIdentity block showing caller ARN and accountId, requestParameters.instancesSet containing imageId and instanceType t2.micro, responseElements.instancesSet.items[0].instanceId with the assigned instance ID. Event appears in CloudTrail within 5-15 minutes and in Microsoft Sentinel AWSCloudTrail table within 15-30 minutes depending on connector polling interval.
- Test 2Create Azure Virtual Machine via CLI
Expected signal: Azure Activity Log: Microsoft.Compute/virtualMachines/write operation with ActivityStatus=Succeeded, Caller showing the authenticated UPN or service principal object ID, CallerIpAddress of the machine running the Azure CLI, ResourceGroup=df00tech-atomic-test-rg. Also generates Microsoft.Resources/resourceGroups/write event for the preceding resource group creation. Events appear in Azure Activity Log within 5 minutes and in Microsoft Sentinel AzureActivity table within 10-15 minutes.
- Test 3Create GCP Compute Engine Instance via gcloud CLI
Expected signal: GCP Cloud Audit Log: compute.instances.insert activity log entry with principalEmail showing the authenticated caller, requestMetadata.callerIp, resource.labels.instance_id and resource.labels.zone populated. Visible in GCP Cloud Logging under GCE Audit Logs (Admin Activity). If exported to Microsoft Sentinel via GCP Pub/Sub connector: GCPAuditLogs table with MethodName=v1.compute.instances.insert and Severity=NOTICE (success).
- Test 4Snapshot-then-Create-Instance Data Staging Pattern (Mandiant M-Trends)
Expected signal: AWS CloudTrail sequence: (1) CreateVolume event with responseElements.volumeId, (2) CreateSnapshot event with requestParameters.volumeId and responseElements.snapshotId from the same userIdentity.arn, (3) RunInstances event with requestParameters.blockDeviceMapping containing the snapshotId in the Ebs block. All three events share the same userIdentity.arn and sessionContext. Entire sequence visible in CloudTrail within 15 minutes.
References (10)
- https://attack.mitre.org/techniques/T1578/002/
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/monitor-vm-reference
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.002/T1578.002.md
Unlock Pro Content
Get the full detection package for T1578.002 including response playbook, investigation guide, and atomic red team tests.