An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1578.003 | Delete Cloud Instance |
AC-03 | Access Enforcement | Protects | T1578.003 | Delete Cloud Instance |
AC-05 | Separation of Duties | Protects | T1578.003 | Delete Cloud Instance |
AC-06 | Least Privilege | Protects | T1578.003 | Delete Cloud Instance |
CA-08 | Penetration Testing | Protects | T1578.003 | Delete Cloud Instance |
CM-05 | Access Restrictions for Change | Protects | T1578.003 | Delete Cloud Instance |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1578.003 | Delete Cloud Instance |
IA-04 | Identifier Management | Protects | T1578.003 | Delete Cloud Instance |
IA-06 | Authentication Feedback | Protects | T1578.003 | Delete Cloud Instance |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1578.003 | Delete Cloud Instance |
SI-04 | System Monitoring | Protects | T1578.003 | Delete Cloud Instance |