1. Home
  2. ATT&CK Techniques
  3. T1578
  4. T1578.003
Defense Impairment

T1578.003: Delete Cloud Instance

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine...

T1578.003 · Sub-technique ·1 platforms ·2 groups

Description

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

Platforms

IaaS

Mitigations (2)

User Account ManagementM1018

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

AuditM1047

Routinely check user permissions to ensure only the expected users have the capability to delete new instances.

Threat Groups (2)

IDGroupContext
G1004LAPSUS$[LAPSUS$](https://attack.mitre.org/groups/G1004) has deleted the target's systems and resources in the cloud to trigger the organization's incident an...
G1053Storm-0501[Storm-0501](https://attack.mitre.org/groups/G1053) has conducted mass deletion of cloud data stores and resources from Azure subscriptions.(Citation:...

References

Frequently Asked Questions

What is T1578.003 (Delete Cloud Instance)?

T1578.003 is a MITRE ATT&CK technique named 'Delete Cloud Instance'. It belongs to the Defense Impairment tactic(s). An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine...

How can T1578.003 be detected?

Detection of T1578.003 (Delete Cloud Instance) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1578.003?

There are 2 documented mitigations for T1578.003. Key mitigations include: User Account Management, Audit.

Which threat groups use T1578.003?

Known threat groups using T1578.003 include: LAPSUS$, Storm-0501.