title: Create Snapshot (T1578.001)
id: df00tech-t1578-001
status: experimental
description: "Adversaries may create a snapshot or data backup within a cloud account to evade defenses and gain access to restricted compute infrastructure. A snapshot is a point-in-time copy of a cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. After creating a snapshot, an adversary can create a new cloud instance, mount the snapshot to it, and apply permissive policies (such as firewall rules allowing SSH/RDP) that bypass restrictions enforced on the original resource. This allows access to data and configurations on the original volume without triggering alerts tied to direct access of the live instance. The Pacu AWS exploitation framework includes modules to enumerate and create EBS snapshots and RDS snapshots. Snapshot creation may also precede cross-account sharing, where the adversary modifies snapshot attributes to share it with an attacker-controlled AWS account for offline analysis."
references:
  - https://attack.mitre.org/techniques/T1578/001/
  - https://df00tech.com/detections/T1578.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1578.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Automated backup solutions (AWS Backup, Azure Backup, third-party tools like Veeam) running scheduled snapshot jobs — these will appear as bulk creation from service principals or IAM roles"
  - "Disaster recovery and business continuity operations where admins create snapshots before major maintenance windows, often outside business hours"
  - "DevOps pipelines using Infrastructure-as-Code (Terraform, CloudFormation, Pulumi) that create and destroy snapshots as part of environment provisioning"
  - Cloud-native services such as AWS Data Lifecycle Manager or Azure Disk Snapshot policies that automate snapshot rotation at scale
  - Cross-account sharing for legitimate DR scenarios where snapshots are replicated to a dedicated recovery AWS account
level: high