T1578.003 Delete Cloud Instance
An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.1
| Item | Value |
|---|---|
| ID | T1578.003 |
| Sub-techniques | T1578.001, T1578.002, T1578.003, T1578.004 |
| Tactics | TA0005 |
| Platforms | IaaS |
| Permissions required | User |
| Version | 1.1 |
| Created | 16 June 2020 |
| Last Modified | 08 March 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1004 | LAPSUS$ | LAPSUS$ has deleted the target’s systems and resources in the cloud to trigger the organization’s incident and crisis response process.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Routinely check user permissions to ensure only the expected users have the capability to delete new instances. |
| M1018 | User Account Management | Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0030 | Instance | Instance Deletion |
References
-
Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. ↩↩
-
Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020. ↩
-
Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩