Skip to content

T1578.003 Delete Cloud Instance

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.1

Item Value
ID T1578.003
Sub-techniques T1578.001, T1578.002, T1578.003, T1578.004
Tactics TA0005
Platforms IaaS
Permissions required User
Version 1.1
Created 16 June 2020
Last Modified 08 March 2021

Mitigations

ID Mitigation Description
M1047 Audit Routinely check user permissions to ensure only the expected users have the capability to delete new instances.
M1018 User Account Management Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.1

Detection

ID Data Source Data Component
DS0030 Instance Instance Deletion

References

  1. Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020. 

  2. Google. (n.d.). Audit Logs. Retrieved June 1, 2020. 

Back to top