T1578.002: Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.[1]
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Analyst context for executives and security teams
Creating a cloud instance is not just routine infrastructure activity; in this ATT&CK context it can be used to evade defenses in an IaaS environment. A new VM may avoid controls applied to existing instances, let an adversary mount snapshots under less restrictive policies, or conduct activity without disrupting current workloads.
Executive priority
Treat unauthorized or unusual cloud instance creation as a resilience and governance issue, not only a SOC alert. Leaders should know who can create compute resources, whether audit evidence proves that activity is reviewed, and whether cloud account permissions are tight enough to prevent users from bypassing firewall rules, instance permissions, or monitoring assumptions.
Technical view
This is an enterprise ATT&CK sub-technique under Modify Cloud Compute Infrastructure for IaaS and defense impairment. SOC and cloud security teams should validate visibility into new VM/instance creation, associated account identity, snapshot or volume mounting, applied security policies, and follow-on access to local data or remote staging paths. MITRE does not provide a native detection paragraph for this object, but the relationship to DET0449 indicates a detection strategy exists for cloud compute infrastructure modification involving instance creation.
Likely telemetry
- Cloud audit logs for compute instance or VM creation events
- Identity and user account activity tied to the actor creating the instance
- Cloud permissions, role, and policy change records
- Firewall, security group, or network policy configuration applied to the new instance
- Snapshot, volume creation, mount, or attach events
Detection direction
- Baseline expected instance creation by account, role, project, region, image, and business process.
- Alert on instance creation by unusual users, newly elevated accounts, dormant accounts, or identities outside normal change windows.
- Correlate new instances with snapshot creation or volume attachment, especially when less restrictive security policies are applied.
- Review whether monitoring covers newly created instances immediately; a common blind spot is assuming existing endpoint or network controls automatically apply to new cloud resources.
- Tune for administrative and automation noise by incorporating approved deployment pipelines, change tickets, service accounts, and expected infrastructure-as-code activity.
Mitigation priorities
- Enforce user account management and least privilege so only approved identities can create or modify cloud compute resources.
- Regularly audit cloud accounts, compute inventory, permissions, and policy configurations for unauthorized or unexpected changes.
- Require governance around instance creation, including ownership, tagging, approval paths, and reviewable audit trails.
- Validate that new instances inherit required logging, network restrictions, and security controls rather than relying on controls attached only to pre-existing workloads.
- Review snapshot and volume access permissions because this technique can be paired with snapshot mounting to access local data.
Analyst notes and limits
ATT&CK links this behavior to campaign C0027 and groups LAPSUS$ and Scattered Spider, but that relationship should be used for context only; it does not prove those actors are present in any environment. The main defensive question is whether cloud compute creation can bypass the organization’s intended identity, network, and monitoring controls.
The official ATT&CK object does not include a detection description. This take is based on the official description, platform, tactic, external reference, and listed relationships. Actual detection logic, severity, and response steps require environment-specific cloud audit data, identity context, and approved operational baselines.
Create Cloud Instance
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.[1]
Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure | This object subtechnique of Modify Cloud Compute Infrastructure. |
Groups, software, and campaigns
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 431061f0a2a5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant M-Trends 2020
Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack T1578.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.