T1578.003 Delete Cloud Instance Mappings

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1578.003 Delete Cloud Instance
AC-3 Access Enforcement Protects T1578.003 Delete Cloud Instance
AC-5 Separation of Duties Protects T1578.003 Delete Cloud Instance
AC-6 Least Privilege Protects T1578.003 Delete Cloud Instance
CA-8 Penetration Testing Protects T1578.003 Delete Cloud Instance
CM-5 Access Restrictions for Change Protects T1578.003 Delete Cloud Instance
IA-2 Identification and Authentication (organizational Users) Protects T1578.003 Delete Cloud Instance
IA-4 Identifier Management Protects T1578.003 Delete Cloud Instance
IA-6 Authentication Feedback Protects T1578.003 Delete Cloud Instance
RA-5 Vulnerability Monitoring and Scanning Protects T1578.003 Delete Cloud Instance
SI-4 System Monitoring Protects T1578.003 Delete Cloud Instance
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1578.003 Modify Cloud Computer Infrastructure: Delete Cloud Instance