T1578.002
Create Cloud Instance
Description from ATT&CK
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Atomic Tests
- Atomic Test #1: Create EC2 Instance from Launch Template
- Atomic Test #2: Create EC2 Instance with user data
Atomic Test #1: Create EC2 Instance from Launch Template
Creating and launching an instance using RunInstances, with a launch template. This launch template will contain all the necessary parameters for the instance.
Reference for the launch templates https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-launch-template.html https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html#examples
Supported Platforms: Iaas:aws, Linux
auto_generated_guid: 09186a16-e7f1-4d26-9524-6999a95a2ea5
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| template_name | Full path to the template.json file | string | PathToAtomicsFolder/T1578.002/src/template.json |
| version | Launch template version description | string | 1 |
| ami_id | AMI ID to use | string | ami-12345678 |
| instance_type | EC2 instance type | string | tg4.nano |
| instance_id | EC2 instance ID to terminate | string | i-1234567890abcdef0 |
| aws_region | AWS region | string | us-east-1 |
| profile_name | AWS profile name | string | default |
Attack Commands: Run with sh!
aws ec2 create-launch-template \
--launch-template-name #{template_name} \
--version-description #{version} \
--tag-specifications 'ResourceType=launch-template,Tags=[{Key=purpose,Value=production}]' \
--launch-template-data file://template.json
aws ec2 run-instances --image-id #{ami_id} --instance-type #{instance_type} \
--region #{aws_region} --profile #{profile_name}Cleanup Commands
aws ec2 terminate-instances --instance-ids #{instance_id} \
--region #{aws_region} --profile #{profile_name}Dependencies: Run with sh!
Description: AWS CLI must be installed
Check Prereq Commands
if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands
echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"Atomic Test #2: Create EC2 Instance with user data
Creates an EC2 instance with a keypair while passing user data in a script. The script runs at launch.
Supported Platforms: Iaas:aws, Linux
auto_generated_guid: e0c5c285-8903-4927-a9f8-a7c37eac37e2
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| ami_id | AMI ID to use | string | ami-12345678 |
| instance_type | EC2 instance type | string | tg4.nano |
| instance_id | EC2 instance ID to terminate | string | i-1234567890abcdef0 |
| aws_region | AWS region | string | us-west-2 |
| profile_name | AWS profile name | string | default |
Attack Commands: Run with sh!
printf '%s\n' '#!/bin/bash' 'date -u > /var/tmp/userdata-ran.txt' > my_script.txt
aws ec2 run-instances \
--image-id #{ami_id} \
--instance-type #{instance_type} \
--count 1 \
--subnet-id subnet-XXXXXXXXXXXXXXX \
--key-name MyKeyPair \
--user-data file://my_script.txtCleanup Commands
aws ec2 terminate-instances --instance-ids #{instance_id} \
--region #{aws_region} --profile #{profile_name}Dependencies: Run with sh!
Description: AWS CLI must be installed
Check Prereq Commands
# Description: AWS CLI must be installed.
if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands
echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"Atomic test(s) for this technique last updated: 2026-05-11 20:39:24 UTC