Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0947: Analytic 0947

Creation or modification of cloud virtual machine images (AMIs, custom images) with persistence mechanisms, followed by infrastructure provisioning that uses these implanted images.

EnterpriseAN0947AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns cloud VM images that are created or modified to include persistence mechanisms, then reused to provision infrastructure. For leaders, the business issue is image trust: if a compromised or unauthorized image becomes a standard build source, persistence can scale into new cloud workloads and complicate recovery because rebuilding from the same image may reintroduce the problem.

Executive priority

Prioritize this as a cloud resilience and governance question: who can create, modify, approve, and deploy IaaS images, and can the organization prove image lineage during an incident or audit? The decision value is in reducing the chance that recovery, autoscaling, or new deployments unknowingly use implanted images. This supports cloud security, incident response readiness, compliance evidence for change control, and budget decisions around image governance and telemetry retention.

Technical view

For SOC, cloud security, and IR teams, validate visibility into IaaS image lifecycle events and downstream provisioning from those images. Because the ATT&CK object provides no official detection logic and no relationship context, teams should focus on confirming whether they can correlate image creation or modification with later instance launches. Investigations should establish image provenance, the actor or role that changed the image, approval/change-ticket context where available, and whether newly provisioned infrastructure inherits unexpected persistence-related configuration from the image.

Likely telemetry

  • Cloud control-plane audit logs for VM image creation, import, copy, sharing, modification, registration, and deletion events
  • Cloud control-plane audit logs for instance or infrastructure provisioning events that reference specific image identifiers
  • Identity and access management logs showing users, roles, service principals, and automation identities that created or modified images
  • Configuration/change-management records for approved image builds and golden image pipelines
  • Asset inventory or cloud configuration data mapping running instances to source image IDs

Detection direction

  • Validate that cloud audit logging is enabled and retained for image lifecycle activity and instance provisioning in IaaS environments.
  • Correlate image creation or modification events with subsequent infrastructure provisioning that uses the same image identifier.
  • Baseline approved image publishers, image build pipelines, naming conventions, accounts/projects, and expected deployment paths; alert on deviations from those baselines.
  • Review high-risk identity context, such as unusual roles, newly granted permissions, nonstandard automation identities, or activity outside approved change windows.
  • Tune for false positives from legitimate golden image updates, patching workflows, image imports, disaster recovery preparation, and automated build systems.

Mitigation priorities

  • Restrict who and what can create, modify, share, and deploy VM images in IaaS environments using least privilege and separation of duties.
  • Require approved image build pipelines, change control, and image provenance records for production workloads.
  • Maintain an inventory that links running infrastructure to source images so incident responders can identify affected descendants quickly.
  • Use image validation or scanning processes before promotion to production, aligned to the organization’s baseline expectations.
  • Retain cloud audit logs long enough to support incident reconstruction and compliance evidence.
Analyst notes and limits

The supplied object is an ATT&CK detection analytic for IaaS image creation or modification with persistence mechanisms followed by provisioning from those images. No tactics, relationships, aliases, labels, or official detection logic were supplied. The most useful defensive interpretation is therefore governance and telemetry validation around cloud image lifecycle, provenance, and workload deployment correlation.

This take is based only on the supplied ATT&CK analytic fields and the MITRE external reference. It does not establish active exploitation, attribution, specific cloud provider behavior, guaranteed detection, or customer exposure. Local cloud architecture, logging configuration, IAM model, image pipeline design, and change-management practices are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Analytic 0947

Creation or modification of cloud virtual machine images (AMIs, custom images) with persistence mechanisms, followed by infrastructure provisioning that uses these implanted images.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
42656feaceb816d5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 42656feaceb8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0947
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use