T1578.003SubTechniquedefense-evasionagent-callable

T1578.003Delete Cloud Instance

Sub-technique of T1578

Platforms: IaaS

ATT&CK version: 14.1

What it is

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1578/003
  2. https://content.fireeye.com/m-trends/rpt-m-trends-2020
  3. https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
  4. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
  5. https://cloud.google.com/logging/docs/audit#admin-activity
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.