1. Home
  2. Techniques
  3. Enterprise
  4. Modify Cloud Compute Infrastructure
  5. Delete Cloud Instance

Modify Cloud Compute Infrastructure: Delete Cloud Instance

ID Name
T1578.001 Create Snapshot
T1578.002 Create Cloud Instance
T1578.003 Delete Cloud Instance
T1578.004 Revert Cloud Instance
T1578.005 Modify Cloud Compute Configurations

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.[1]

ID: T1578.003
Sub-technique of:  T1578
Tactic: Defense Evasion
Platforms: IaaS
Contributors: Arun Seelagan, CISA
Version: 1.2
Created: 16 June 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.[2]
G1053 Storm-0501

Storm-0501 has conducted mass deletion of cloud data stores and resources from Azure subscriptions.[3]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check user permissions to ensure only the expected users have the capability to delete new instances.
M1018 User Account Management

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[1]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0084 Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance AN0234

Defenders can detect suspicious cloud instance deletions by correlating events across authentication, instance lifecycle, and account activity. From a defender’s perspective, behaviors of interest include instances deleted shortly after creation, deletions initiated by new or rarely used accounts, deletions following snapshot creation, and deletions originating from anomalous geolocations or access keys. These may indicate adversarial attempts to destroy forensic evidence or evade detection.

References

  1. Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  1. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.