T1578.004 Revert Cloud Instance Mappings

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
role_based_access_control Role Based Access Control technique_scores T1578.004 Revert Cloud Instance
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
    cloud_app_security_policies Cloud App Security Policies technique_scores T1578.004 Revert Cloud Instance
    Comments
    This control can identify anomalous admin activity.
    References