MITRE ATT&CK Technique
Description
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020) Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-05-14T14:45:15.978Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may create a new instance or virtual machine '
'(VM) within the compute service of a cloud account to evade '
'defenses. Creating a new instance may allow an adversary to '
'bypass firewall rules and permissions that exist on instances '
'currently residing within an account. An adversary may '
'[Create '
'Snapshot](https://attack.mitre.org/techniques/T1578/001) of '
'one or more volumes in an account, create a new instance, '
'mount the snapshots, and then apply a less restrictive '
'security policy to collect [Data from Local '
'System](https://attack.mitre.org/techniques/T1005) or for '
'[Remote Data '
'Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: '
'Mandiant M-Trends 2020)\n'
'\n'
'Creating a new instance may also allow an adversary to carry '
'out malicious activity within an environment without '
'affecting the execution of current running instances.',
'external_references': [{'external_id': 'T1578.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1578/002'},
{'description': 'Amazon. (n.d.). Search CloudTrail '
'logs for API calls to EC2 Instances. '
'Retrieved June 17, 2020.',
'source_name': 'AWS CloudTrail Search',
'url': 'https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/'},
{'description': 'Google. (n.d.). Audit Logs. '
'Retrieved June 1, 2020.',
'source_name': 'Cloud Audit Logs',
'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'},
{'description': 'Mandiant. (2020, February). M-Trends '
'2020. Retrieved November 17, 2024.',
'source_name': 'Mandiant M-Trends 2020',
'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'},
{'description': 'Microsoft. (n.d.). View Azure '
'activity logs. Retrieved June 17, '
'2020.',
'source_name': 'Azure Activity Logs',
'url': 'https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs'}],
'id': 'attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:24.804Z',
'name': 'Create Cloud Instance',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.2'}