T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot
Description from ATT&CK (opens in a new tab)
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance (opens in a new tab) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may Create Cloud Instance (opens in a new tab), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
Atomic Tests
Atomic Test #1 - AWS - Create Snapshot from EBS Volume
Creates an EBS snapshot in AWS using the AWS CLI. This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
Supported Platforms: Iaas:aws
auto_generated_guid: a3c09662-85bb-4ea8-b15b-6dc8a844e236
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| aws_region | AWS region where the volume is located. | string | us-east-1 |
| aws_volume_id | The AWS EBS Volume ID to create a snapshot from. | string | vol-0123456789abcdef0 |
Attack Commands: Run with sh!
aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output textCleanup Commands:
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
if [ "$SNAPSHOT_ID" != "None" ]; then
aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
fiDependencies: Run with sh!
Description: AWS CLI must be installed.
Check Prereq Commands:
if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"Description: AWS CLI must be authenticated.
Check Prereq Commands:
if aws sts get-caller-identity --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Configure AWS credentials with: aws configure"Description: EBS volume must exist.
Check Prereq Commands:
if aws ec2 describe-volumes --volume-ids #{aws_volume_id} --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Ensure the volume ID exists in the target AWS account and region."Atomic Test #2 - Azure - Create Snapshot from Managed Disk
Creates a snapshot of a managed disk in Azure using the Azure CLI. Simulates adversary snapshotting behavior for persistence or data duplication.
Supported Platforms: Iaas:azure
auto_generated_guid: 89e69b4b-3458-4ec6-b819-b3008debc1bc
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| azure_resource_group | The Azure resource group where the disk is located. | string | myResourceGroup |
| azure_disk_name | The Azure disk name. | string | myDiskName |
| azure_snapshot_name | The Azure snapshot name. | string | mySnapshotName |
Attack Commands: Run with sh!
az snapshot create --resource-group #{azure_resource_group} --name #{azure_snapshot_name} --source #{azure_disk_name} --location eastusCleanup Commands:
az snapshot delete --resource-group #{azure_resource_group} --name #{azure_snapshot_name}Dependencies: Run with sh!
Description: Azure CLI must be installed.
Check Prereq Commands:
if command -v az > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"Description: Azure CLI must be authenticated.
Check Prereq Commands:
if az account show > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Login with: az login"Description: Azure disk must exist.
Check Prereq Commands:
if az disk show --resource-group #{azure_resource_group} --name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Ensure the disk exists in the given resource group."Atomic Test #3 - GCP - Create Snapshot from Persistent Disk
Creates a snapshot of a persistent disk in GCP using the gcloud CLI. Emulates adversary behavior to gain access to volume data or replicate environment state.
Supported Platforms: Iaas:gcp
auto_generated_guid: e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| gcp_disk_name | The Google Cloud disk name. | string | myDiskName |
| gcp_zone | The Google Cloud zone where the disk is located. | string | us-central1-a |
| gcp_snapshot_name | The Google Cloud snapshot name. | string | mySnapshotName |
Attack Commands: Run with sh!
gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name} --zone=#{gcp_zone}Cleanup Commands:
gcloud compute snapshots delete #{gcp_snapshot_name} --quietDependencies: Run with sh!
Description: gcloud CLI must be installed.
Check Prereq Commands:
if command -v gcloud > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"Description: gcloud CLI must be authenticated.
Check Prereq Commands:
if gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep . > /dev/null; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Authenticate with: gcloud auth login"Description: GCP disk must exist.
Check Prereq Commands:
if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone} > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
echo "Ensure the disk exists in the specified zone."