T1578.003: Delete Cloud Instance

View on MITRE ATT&CK	T1578.003
Tactic(s)	Defense Evasion

Data from MITRE ATT&CK®:

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

How to detect this technique

MITRE ATT&CK Data Components

Instance Metadata (Instance)

Contextual data about an instance and activity around it such as name, type, or status

Instance Deletion (Instance)

Removal of an instance (ex: instance.delete within GCP Audit Logs)

Sigma Detections for this Technique

Azure Active Directory Hybrid Health AD FS Service Delete

azure

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
IA-6: Authentication Feedback
CM-5: Access Restrictions for Change
AC-3: Access Enforcement
IA-2: Identification and Authentication (organizational Users)
RA-5: Vulnerability Monitoring and Scanning
SI-4: System Monitoring
AC-5: Separation of Duties
CA-8: Penetration Testing
AC-2: Account Management
IA-4: Identifier Management
AC-6: Least Privilege