AN0043: Analytic 0043
Detects virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances.
Analyst context for executives and security teams
This analytic matters because activity from “isolated” cloud instances can undermine containment assumptions. If an instance believed to be restricted can expand virtual disks or copy files to cloud buckets or mounted volumes, sensitive data may still move and incident responders may be working from a false sense of isolation.
Executive priority
Prioritize validation of cloud isolation and containment controls. Leaders should ask whether incident response playbooks, audit evidence, and cloud security controls can prove that isolated IaaS instances cannot write to storage destinations such as buckets or mounted volumes except where explicitly intended. This is especially relevant for business continuity and incident decision-making because weak isolation can prolong containment and increase data-handling risk.
Technical view
For SOC, cloud security, and IR teams, validate whether telemetry exists to observe virtual disk expansion and file copy operations from IaaS instances that are tagged, segmented, quarantined, or otherwise treated as isolated. Because ATT&CK provides no tactic or detailed detection logic for this analytic, local implementation should define what “isolated instance” means in the environment and correlate instance state or containment labels with storage and volume activity.
Likely telemetry
- Cloud control-plane events for virtual disk or volume resize/expansion operations
- Cloud storage access logs for writes or object creation to buckets
- Mounted volume or network file storage access/write logs where available
- Instance inventory, tags, security group, network policy, or quarantine-state records identifying isolated instances
- Identity and access management logs showing which principal performed storage or disk operations
Detection direction
- Confirm that the organization can distinguish isolated/quarantined instances from normal production instances in logs.
- Alert or hunt for disk expansion and file-copy/write activity to cloud buckets or mounted volumes originating from isolated IaaS instances.
- Tune for approved administrative recovery, backup, migration, or forensic collection workflows to reduce false positives.
- Correlate storage activity with the identity principal, instance metadata, and containment timestamp to determine whether the action occurred before or after isolation.
- Identify blind spots where storage writes occur through mounted volumes, service accounts, or control-plane actions not visible to endpoint telemetry.
Mitigation priorities
- Define and document what isolation must block for IaaS instances, including storage writes and mounted-volume access.
- Review IAM permissions, instance roles, bucket policies, and volume attachment permissions for isolated or quarantined workloads.
- Ensure IR containment playbooks include validation that isolated instances cannot copy files to approved or unapproved storage destinations.
- Preserve cloud control-plane, storage, and identity logs long enough to support incident review and compliance evidence.
- Where business processes require exceptions, document them and monitor them explicitly.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for IaaS environments. It describes detection of virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances. No ATT&CK relationships, tactics, or detailed detection logic were supplied, so the most defensible use is as a validation prompt for cloud containment monitoring and response readiness.
Official detection content is not provided, and no relationship context is supplied. This take does not infer adversary intent, active exploitation, specific cloud providers, or guaranteed detection coverage. Local cloud architecture, logging configuration, isolation model, and approved administrative workflows are required to operationalize the analytic.
Analytic 0043
Detects virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 221940ecfb89… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.