ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Instance Deletion

Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:

AWS: instance deletion involves the TerminateInstances API call, which is recorded in CloudTrail logs.
Azure: VM deletion can be monitored via Azure Activity Logs, showing the Microsoft.Compute/virtualMachines/delete operation.
GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs.

*Data Collection Measures:

AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
GCP Audit Logs: Logs Explorer or BigQuery.

ID: DC0081

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
azure:activity	MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE
gcp:audit	compute.instances.delete

Detection Strategy

ID	Name	Technique Detected
DET0084	Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance	T1578.003