Skip to content

Hide Navigation Hide TOC

Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c)

The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:

  • AWS: creating an EC2 instance using RunInstances API calls.
  • Azure, creating a VM through the Azure Resource Manager (ARM).
  • GCP, an instance.insert action recorded.

Data Collection Measures:

  • AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch.
  • Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account.
  • GCP Audit Logs: Logs Explorer or BigQuery.
Cluster A Galaxy A Cluster B Galaxy B Level
Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c) mitre-data-component Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 1
Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c) mitre-data-component Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1
Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c) mitre-data-component Unused/Unsupported Cloud Regions - T1535 (59bd0dec-f8b2-4b9a-9141-37a1e6899761) Attack Pattern 1
Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c) mitre-data-component Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern 1
Instance Creation (b5b0e8ae-7436-4951-950a-7b83c4dd3f2c) mitre-data-component User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2