Add T1578.001 - Cloud Snapshot Creation Tests (AWS, Azure, GCP) (#3103)

Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
2025-04-30 07:38:13 +09:00
parent f6c76daca0
commit 69ce78765d
2 changed files with 254 additions and 0 deletions
@@ -0,0 +1,121 @@
+# T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1578/001)
+<blockquote>An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidenc...
+
+An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - Create EBS Snapshot](#atomic-test-1---aws---create-ebs-snapshot)
+- [Atomic Test #2 - Azure - Create Managed Disk Snapshot](#atomic-test-2---azure---create-managed-disk-snapshot)
+- [Atomic Test #3 - GCP - Create Persistent Disk Snapshot](#atomic-test-3---gcp---create-persistent-disk-snapshot)
+
+<br/>
+
+## Atomic Test #1 - AWS - Create EBS Snapshot
+Creates a snapshot of a specified EBS volume in AWS.
+
+**Supported Platforms:** iaas:aws
+
+**auto_generated_guid:** 1dbd9e45-2be4-4924-83b3-ff6a1cd106a7
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| aws_volume_id | The AWS EBS Volume ID to create a snapshot from | string | vol-0123456789abcdef0 |
+| aws_region | AWS region where the volume is located | string | us-east-1 |
+
+#### Attack Commands: Run with `sh`!
+```sh
+aws ec2 create-snapshot --region \#{aws_region} --volume-id \#{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
+```
+
+#### Cleanup Commands:
+```sh
+SNAPSHOT_ID=$(aws ec2 describe-snapshots --region \#{aws_region} --filters "Name=volume-id,Values=\#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
+aws ec2 delete-snapshot --region \#{aws_region} --snapshot-id "$SNAPSHOT_ID"
+```
+
+#### Dependencies: Run with `sh`!
+##### Description: AWS CLI must be installed
+```sh
+command -v aws
+```
+##### Description: The specified EBS volume must exist
+```sh
+aws ec2 describe-volumes --volume-ids \#{aws_volume_id} --region \#{aws_region}
+```
+
+<br/><br/>
+
+## Atomic Test #2 - Azure - Create Managed Disk Snapshot
+Creates a snapshot of a managed disk in Azure.
+
+**Supported Platforms:** iaas:azure
+
+**auto_generated_guid:** 5c5b1e22-38d9-4f70-97c5-2bc31d32ab29
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| azure_disk_name | The Azure disk name | string | myDiskName |
+| azure_resource_group | The Azure resource group where the disk is located | string | myResourceGroup |
+| azure_snapshot_name | The Azure snapshot name | string | mySnapshotName |
+
+#### Attack Commands: Run with `sh`!
+```sh
+az snapshot create --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name} --source \#{azure_disk_name} --location eastus
+```
+
+#### Cleanup Commands:
+```sh
+az snapshot delete --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name}
+```
+
+#### Dependencies: Run with `sh`!
+##### Description: Azure CLI must be installed
+```sh
+command -v az
+```
+##### Description: The specified disk must exist
+```sh
+az disk show --resource-group \#{azure_resource_group} --name \#{azure_disk_name}
+```
+
+<br/><br/>
+
+## Atomic Test #3 - GCP - Create Persistent Disk Snapshot
+Creates a snapshot of a persistent disk in Google Cloud Platform.
+
+**Supported Platforms:** iaas:gcp
+
+**auto_generated_guid:** 902c61df-c1bc-4e8b-9aa0-55e2e68e0934
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| gcp_disk_name | The Google Cloud disk name | string | myDiskName |
+| gcp_zone | The GCP zone where the disk is located | string | us-central1-a |
+| gcp_snapshot_name | The Google Cloud snapshot name | string | mySnapshotName |
+
+#### Attack Commands: Run with `sh`!
+```sh
+gcloud compute snapshots create \#{gcp_snapshot_name} --source-disk=\#{gcp_disk_name} --zone=\#{gcp_zone}
+```
+
+#### Cleanup Commands:
+```sh
+gcloud compute snapshots delete \#{gcp_snapshot_name} --quiet
+```
+
+#### Dependencies: Run with `sh`!
+##### Description: GCloud CLI must be installed
+```sh
+command -v gcloud
+```
+##### Description: The specified disk must exist
+```sh
+gcloud compute disks describe \#{gcp_disk_name} --zone=\#{gcp_zone}
+```
+
+<br/>
@@ -0,0 +1,133 @@
+attack_technique: T1578.001
+display_name: "Modify Cloud Compute Infrastructure: Create Snapshot"
+atomic_tests:
+- name: AWS - Create Snapshot from EBS Volume
+  auto_generated_guid:
+  description: |
+    Creates an EBS snapshot in AWS using the AWS CLI.
+    This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    aws_region:
+      description: AWS region where the volume is located.
+      type: string
+      default: us-east-1
+    aws_volume_id:
+      description: The AWS EBS Volume ID to create a snapshot from.
+      type: string
+      default: vol-0123456789abcdef0
+  dependencies:
+    - description: AWS CLI must be installed.
+      prereq_command: |
+        if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"
+    - description: AWS CLI must be authenticated.
+      prereq_command: |
+        if aws sts get-caller-identity --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Configure AWS credentials with: aws configure"
+    - description: EBS volume must exist.
+      prereq_command: |
+        if aws ec2 describe-volumes --volume-ids #{aws_volume_id} --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Ensure the volume ID exists in the target AWS account and region."
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
+    cleanup_command: |
+      SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
+      if [ "$SNAPSHOT_ID" != "None" ]; then
+        aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
+      fi
+
+- name: Azure - Create Snapshot from Managed Disk
+  auto_generated_guid:
+  description: |
+    Creates a snapshot of a managed disk in Azure using the Azure CLI.
+    Simulates adversary snapshotting behavior for persistence or data duplication.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    azure_resource_group:
+      description: The Azure resource group where the disk is located.
+      type: string
+      default: myResourceGroup
+    azure_disk_name:
+      description: The Azure disk name.
+      type: string
+      default: myDiskName
+    azure_snapshot_name:
+      description: The Azure snapshot name.
+      type: string
+      default: mySnapshotName
+  dependencies:
+    - description: Azure CLI must be installed.
+      prereq_command: |
+        if command -v az > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
+    - description: Azure CLI must be authenticated.
+      prereq_command: |
+        if az account show > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Login with: az login"
+    - description: Azure disk must exist.
+      prereq_command: |
+        if az disk show --resource-group #{azure_resource_group} --name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Ensure the disk exists in the given resource group."
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      az snapshot create --resource-group #{azure_resource_group} --name #{azure_snapshot_name} --source #{azure_disk_name} --location eastus
+    cleanup_command: |
+      az snapshot delete --resource-group #{azure_resource_group} --name #{azure_snapshot_name}
+
+- name: GCP - Create Snapshot from Persistent Disk
+  auto_generated_guid:
+  description: |
+    Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
+    Emulates adversary behavior to gain access to volume data or replicate environment state.
+  supported_platforms:
+  - iaas:gcp
+  input_arguments:
+    gcp_disk_name:
+      description: The Google Cloud disk name.
+      type: string
+      default: myDiskName
+    gcp_zone:
+      description: The Google Cloud zone where the disk is located.
+      type: string
+      default: us-central1-a
+    gcp_snapshot_name:
+      description: The Google Cloud snapshot name.
+      type: string
+      default: mySnapshotName
+  dependencies:
+    - description: gcloud CLI must be installed.
+      prereq_command: |
+        if command -v gcloud > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"
+    - description: gcloud CLI must be authenticated.
+      prereq_command: |
+        if gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep . > /dev/null; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Authenticate with: gcloud auth login"
+    - description: GCP disk must exist.
+      prereq_command: |
+        if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone} > /dev/null 2>&1; then exit 0; else exit 1; fi
+      get_prereq_command: |
+        echo "Ensure the disk exists in the specified zone."
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name} --zone=#{gcp_zone}
+    cleanup_command: |
+      gcloud compute snapshots delete #{gcp_snapshot_name} --quiet