Modify Cloud Compute Infrastructure: Delete Cloud Instance

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.[1]

ID: T1578.003
Sub-technique of:  T1578
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Arun Seelagan, CISA
Version: 1.2
Created: 16 June 2020
Last Modified: 30 September 2024

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.[2]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check user permissions to ensure only the expected users have the capability to delete new instances.

M1018 User Account Management

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1]

Detection

ID Data Source Data Component Detects
DS0030 Instance Instance Deletion

The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.

In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5]

Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent deletions

index="azure_activity_logs" (OperationName="Delete Virtual Machine" OR OperationName="Delete Disk" OR OperationName="Delete Role Assignment")| stats count by InitiatorName, Resource| where Resource LIKE "Microsoft.Compute/virtualMachines*" AND (Status!="Succeeded" OR InitiatorName!="expected_initiator")| sort by Time

Instance Metadata

Periodically baseline instances to identify malicious modifications or additions.

References