An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.003 | Delete Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.003 | Delete Cloud Instance |
Comments
This diagnostic statement protects against Delete Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1578.003 | Delete Cloud Instance | |
| IA-06 | Authentication Feedback | mitigates | T1578.003 | Delete Cloud Instance | |
| IA-04 | Identifier Management | mitigates | T1578.003 | Delete Cloud Instance | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1578.003 | Delete Cloud Instance | |
| CM-02 | Baseline Configuration | mitigates | T1578.003 | Delete Cloud Instance | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1578.003 | Delete Cloud Instance | |
| SI-04 | System Monitoring | mitigates | T1578.003 | Delete Cloud Instance | |
| AC-02 | Account Management | mitigates | T1578.003 | Delete Cloud Instance | |
| AC-03 | Access Enforcement | mitigates | T1578.003 | Delete Cloud Instance | |
| AC-05 | Separation of Duties | mitigates | T1578.003 | Delete Cloud Instance | |
| AC-06 | Least Privilege | mitigates | T1578.003 | Delete Cloud Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1578.003 | Delete Cloud Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1578.003 | Delete Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|