AN1242: Analytic 1242
Detection focuses on abnormal or unauthorized cloud instance creation events. From a defender’s perspective, suspicious behavior includes VM/instance creation by rarely used or newly created accounts, creation events from unusual geolocations, or rapid sequences of snapshot creation followed by instance creation and mounting. Unexpected network or IAM policy changes applied to new instances can indicate adversarial use rather than legitimate provisioning.
Analyst context for executives and security teams
This analytic matters because unauthorized or abnormal IaaS instance creation can turn a cloud account issue into real operational and cost risk. New virtual machines created by unusual accounts, from unusual locations, or immediately after snapshot activity may indicate that cloud resources are being used outside approved provisioning paths.
Executive priority
Security leaders should treat this as a cloud control validation item: can the organization prove who created new instances, from where, using which account, and with what network or IAM changes? The business value is in reducing surprise cloud exposure, unplanned spend, audit gaps, and incident response uncertainty when new infrastructure appears unexpectedly.
Technical view
For SOC, cloud security, and IR teams, validate monitoring around IaaS instance or VM creation events. Prioritize correlation with account age and historical usage, source geolocation, snapshot creation followed by instance creation and mounting, and network or IAM policy changes applied to new instances. Because no ATT&CK tactic or separate detection logic is supplied, local baselining is required to distinguish approved provisioning automation from suspicious activity.
Likely telemetry
- IaaS cloud audit logs for instance or VM creation events
- Identity and access logs showing the account or principal that created the instance
- Account metadata such as newly created, rarely used, or service account status
- Source location or geolocation context for cloud API activity
- Snapshot creation, mount, or related storage activity logs
Detection direction
- Validate that cloud audit logging captures instance creation across relevant IaaS accounts and regions.
- Baseline normal provisioning patterns, including approved automation accounts, expected geographies, and expected deployment cadence.
- Correlate rapid snapshot creation followed by instance creation and mounting as higher-priority review context.
- Alert or triage when new instances receive unexpected network exposure or IAM policy changes shortly after creation.
- Tune for legitimate infrastructure-as-code, autoscaling, disaster recovery, and administrative workflows to reduce false positives.
Mitigation priorities
- Enforce approved provisioning paths and require accountable identities for instance creation.
- Review permissions so only expected roles or automation principals can create instances, modify networking, or change IAM policies.
- Maintain logging and retention sufficient for incident response and compliance evidence around cloud resource creation.
- Use change management or tagging standards so authorized new infrastructure is distinguishable from unexpected creation.
- Periodically test whether SOC and cloud teams can investigate a suspicious new instance from creation through associated identity, snapshot, network, and IAM activity.
Analyst notes and limits
This object is a MITRE detection analytic for IaaS cloud environments focused on abnormal or unauthorized cloud instance creation. It provides useful behavioral cues but no formal detection query, no mapped tactic, and no relationship context. The strongest defensive use is as a validation checklist for cloud audit telemetry, identity context, and provisioning governance.
The supplied ATT&CK fields do not identify specific cloud providers, tactics, adversaries, campaigns, mitigations, or confirmed detection logic. Any severity, alert thresholds, or exposure assessment must be derived from the organization’s own cloud architecture, account model, regions, and provisioning workflows.
Analytic 1242
Detection focuses on abnormal or unauthorized cloud instance creation events. From a defender’s perspective, suspicious behavior includes VM/instance creation by rarely used or newly created accounts, creation events from unusual geolocations, or rapid sequences of snapshot creation followed by instance creation and mounting. Unexpected network or IAM policy changes applied to new instances can indicate adversarial use rather than legitimate provisioning.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4092bfe6a734… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1242Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.