Hide Navigation Hide TOC

Instance Start (f8213cde-6b3a-420d-9ab7-41c9af1a919f)

The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:

• Google Cloud Platform (GCP): Starting an instance through instance.start API activity.
• AWS: Logging of StartInstances in AWS CloudTrail for EC2 instances.
• Azure: Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started.

Data Collection Measures:

• Google Cloud Platform: Enable GCP Audit Logs for Compute Engine.
  • Log Event: Look for instance.start entries in Cloud Logging.
• Amazon Web Services (AWS): AWS CloudTrail.
  • Log Event: Search for StartInstances events associated with EC2.
• Microsoft Azure: Azure Activity Logs.
  • Log Event: Filter for Microsoft.Compute/virtualMachines/start operations.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Instance Start (f8213cde-6b3a-420d-9ab7-41c9af1a919f)	mitre-data-component	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	Instance Start (f8213cde-6b3a-420d-9ab7-41c9af1a919f)	mitre-data-component	1
Instance Start (f8213cde-6b3a-420d-9ab7-41c9af1a919f)	mitre-data-component	Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90)	Attack Pattern	1
Instance Start (f8213cde-6b3a-420d-9ab7-41c9af1a919f)	mitre-data-component	Revert Cloud Instance - T1578.004 (0708ae90-d0eb-4938-9a76-d0fc94f6eec1)	Attack Pattern	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90)	Attack Pattern	Revert Cloud Instance - T1578.004 (0708ae90-d0eb-4938-9a76-d0fc94f6eec1)	Attack Pattern	2