MITRE ATT&CK Technique
Description
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-06-09T15:33:13.563Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may create a snapshot or data backup within a '
'cloud account to evade defenses. A snapshot is a '
'point-in-time copy of an existing cloud compute component '
'such as a virtual machine (VM), virtual hard drive, or '
'volume. An adversary may leverage permissions to create a '
'snapshot in order to bypass restrictions that prevent access '
'to existing compute service infrastructure, unlike in [Revert '
'Cloud '
'Instance](https://attack.mitre.org/techniques/T1578/004) '
'where an adversary may revert to a snapshot to evade '
'detection and remove evidence of their presence.\n'
'\n'
'An adversary may [Create Cloud '
'Instance](https://attack.mitre.org/techniques/T1578/002), '
'mount one or more created snapshots to that instance, and '
'then apply a policy that allows the adversary access to the '
'created instance, such as a firewall policy that allows them '
'inbound and outbound SSH access.(Citation: Mandiant M-Trends '
'2020)',
'external_references': [{'external_id': 'T1578.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1578/001'},
{'description': 'Amazon. (2020). Logging AWS Backup '
'API Calls with AWS CloudTrail. '
'Retrieved April 27, 2020.',
'source_name': 'AWS Cloud Trail Backup API',
'url': 'https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html'},
{'description': 'Google. (2020, April 23). Creating '
'and Starting a VM instance. '
'Retrieved May 1, 2020.',
'source_name': 'GCP - Creating and Starting a VM',
'url': 'https://cloud.google.com/compute/docs/instances/create-start-instance#api_2'},
{'description': 'Google. (n.d.). Audit Logs. '
'Retrieved June 1, 2020.',
'source_name': 'Cloud Audit Logs',
'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'},
{'description': 'Mandiant. (2020, February). M-Trends '
'2020. Retrieved November 17, 2024.',
'source_name': 'Mandiant M-Trends 2020',
'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'},
{'description': 'Microsoft. (2019, June 4). Monitor '
'at scale by using Azure Monitor. '
'Retrieved May 1, 2020.',
'source_name': 'Azure - Monitor Logs',
'url': 'https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor'}],
'id': 'attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:34.416Z',
'name': 'Create Snapshot',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.2'}