| ID | Name |
|---|---|
| ATAGS-T1101.001 | Create Cloud Instance |
| ATAGS-T1101.002 | Create Snapshot |
| ATAGS-T1101.003 | Delete Cloud Instance |
| ATAGS-T1101.004 | Modify Cloud Compute Configurations |
| ATAGS-T1101.005 | Revert Cloud Instance |
Threat Actors may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. Threat Actors may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instancewhere Threat Actors may revert to a snapshot to evade detection and remove evidence of their presence.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.