还原云实例

攻击者在执行恶意活动后可能会撤回对云实例所做的更改，以逃避检测并删除其存在的证据。在高度虚拟化的环境（如基于云的基础架构）中，可以通过云管理仪表板使用VM或数据存储快照的还原来轻松实现此目的。该技术的另一个变体是利用附加到计算实例的临时存储。大多数云提供商都提供各种类型的存储，包括持久性存储，本地存储和/或临时存储，后者通常在VM停止/重新启动时重置。

Revert Cloud Instance

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be easily facilitated using restoration from VM or data storage snapshots through the cloud management dashboard. Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the latter types often reset upon stop/restart of the VM

标签

ID编号： T1536

策略：绕过防御

平台： AWS，GCP，Azure

所需权限： user，administrator

数据源： Azure OS日志，AWS CloudTrail日志，Azure活动日志，Stackdriver日志，AWS OS日志

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

建立实例活动的集中日志记录，即使恢复到快照，回滚更改或更改存储的持久性/类型后，也可以用于监视和查看系统事件。专门监视与快照和回滚以及VM配置更改相关的事件，这些事件是在正常活动之外发生的。为了减少误报，有效的变更管理过程可以引入已知的标识符，该标识符随变更一起记录（例如，标签或标头），如果云提供商支持的话，以帮助区分有效的预期行为和恶意行为。

Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g. tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn