T1578.001: Create Snapshot

Create Snapshot matters because a cloud snapshot can give an intruder a new path to data or system contents without directly logging into the protected original workload. In IaaS environments, the business issue is not just backup activity; it is whether identities with compute permissions can create point-in-time copies, attach them elsewhere, and work around controls that were meant to protect production infrastructure.

Executive priority

Prioritize this as a cloud control-plane and identity governance risk. Leaders should ask whether snapshot creation is tightly permissioned, logged, reviewed, and correlated with related infrastructure changes such as new instance creation, volume attachment, and firewall policy changes. This also supports audit and compliance evidence: the organization should be able to show who can create snapshots, when they do so, and whether activity aligns with approved operational processes.

Technical view

For SOC, detection engineering, cloud security, and IR teams, validate coverage for IaaS control-plane activity around snapshot creation under ATT&CK T1578.001 and the parent behavior Modify Cloud Compute Infrastructure. Because MITRE provides no official detection text for this object, teams should build from the behavior: snapshot creation by an identity, possible creation of a new cloud instance, mounting or attaching the snapshot, and policy changes that allow access such as SSH. Relationship context notes DET0423 as a detection strategy for this behavior, M1018 User Account Management, M1047 Audit, and Pacu as software mapped to use this technique; treat those as prioritization inputs, not proof of activity in your environment.

Likely telemetry

IaaS cloud control-plane audit logs for snapshot or backup creation events
Identity and access management logs showing the principal, role, session, and source context used to create snapshots
Compute infrastructure events for new instance creation and snapshot or volume attachment/mount activity
Network or firewall policy change logs, especially rules enabling inbound or outbound SSH access to newly created infrastructure
Asset and configuration inventory showing snapshots, volumes, virtual machines, ownership tags, and change history

Detection direction

Alert or hunt for snapshot creation by unusual identities, newly modified accounts, rarely used roles, or activity outside approved backup and maintenance windows.
Correlate snapshot creation with subsequent cloud instance creation, volume attachment, and firewall or access policy changes, since the ATT&CK description highlights this chained behavior.
Tune false positives around legitimate backup, disaster recovery, migration, and maintenance workflows; require context such as asset criticality, identity role, ticket/change reference, and frequency.
Validate audit log retention and completeness for cloud control-plane events; lack of audit data is a major blind spot because MITRE lists no endpoint-level detection for this IaaS behavior.
Use the Pacu relationship as threat-informed context for detection testing where appropriate, while avoiding assumptions that any specific tool is present.

Mitigation priorities

Apply M1018 User Account Management by limiting snapshot creation, instance creation, volume attachment, and related policy modification permissions to identities with a defined operational need.
Regularly review privileged cloud roles and account lifecycle processes so dormant, excessive, or mis-scoped permissions cannot be used to create or access snapshots.
Apply M1047 Audit by ensuring cloud control-plane logging captures snapshot creation and related compute modifications, with retention sufficient for investigation and compliance evidence.
Create operational review workflows for snapshots of sensitive systems, including ownership, purpose, age, and linkage to approved change or backup processes.
Prioritize controls that connect identity governance, cloud configuration auditing, and SOC correlation rather than treating snapshots as a routine backup-only event.

Analyst notes and limits

This object is a sub-technique of T1578 Modify Cloud Compute Infrastructure under the defense-impairment tactic and applies to IaaS. The supplied ATT&CK text emphasizes evasion through cloud snapshot creation and possible use of a created instance with access policy changes. The relationship to Pacu indicates a mapped open-source AWS exploitation framework, but the supplied data does not support claims about active exploitation, attribution, or environment-specific exposure.

Official ATT&CK detection guidance is not provided for T1578.001 in the supplied fields. Practical detection depends on each cloud provider’s audit schema, enabled logging, retention, identity model, and approved operational snapshot processes. Local baselines are required to separate normal backup or recovery activity from suspicious control-plane changes.

Official MITRE ATT&CK definition

Create Snapshot

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1578	Modify Cloud Compute Infrastructure	This object subtechnique of Modify Cloud Compute Infrastructure.

Associated objects

Groups, software, and campaigns

S1091: Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

IaaS

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1578: Modify Cloud Compute Infrastructure Enterprise detects · Detection Strategy DET0423: Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot Enterprise mitigates · Mitigation M1047: Audit Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Tool S1091: Pacu Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Jun 9, 2020, 15:33 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 5a6fe21024b479cb...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`5a6fe21024b4…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant M-Trends 2020

Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
Open source URL
[2]
mitre-attack T1578.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams