Skip to content

T1578.004 Revert Cloud Instance

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.12

Item Value
ID T1578.004
Sub-techniques T1578.001, T1578.002, T1578.003, T1578.004
Tactics TA0005
Platforms IaaS
Permissions required User
Version 1.1
Created 16 June 2020
Last Modified 08 March 2021

Detection

ID Data Source Data Component
DS0030 Instance Instance Metadata

References