| ID | Name |
|---|---|
| ATAGS-T1101.001 | Create Cloud Instance |
| ATAGS-T1101.002 | Create Snapshot |
| ATAGS-T1101.003 | Delete Cloud Instance |
| ATAGS-T1101.004 | Modify Cloud Compute Configurations |
| ATAGS-T1101.005 | Revert Cloud Instance |
Threat Actors may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow Threat Actors to bypass firewall rules and permissions that exist on instances currently residing within an account. Threat Actors may Create Snapshotof one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.