T1578.004: Revert Cloud Instance

Data from MITRE ATT&CK®:

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Instance Metadata (Instance)

Contextual data about an instance and activity around it such as name, type, or status

Instance Stop (Instance)

Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)

Instance Start (Instance)

Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

Instance Modification (Instance)

Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)