T1578.003: Delete Cloud Instance

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vk_cloud: PT-CR-2305: VK_Cloud_Critical_DB_Operation: An untrusted user performed an operation with a critical database in VK Cloud. Attackers can bypass protection or gain persistence in the system by changing or deleting a critical database, or creating its backup or a new user in it. These operations allow attackers to access sensitive information stored in the database and use it to further compromise the system. vk_cloud: PT-CR-2291: VK_Cloud_Critical_VM_Operation: An untrusted user performed an operation on a critical virtual machine in VK Cloud. Attackers can gain access to critical virtual machines, manage them, and change their configuration, including network configuration. This allows them to interfere with the operation of critical virtual machines, disclose information stored on them, and prepare the environment for further attacks.

Detection

ID	DS0030	Data source and component	Instance: Instance Metadata	Description	Periodically baseline instances to identify malicious modifications or additions.

ID	DS0030	Data source and component	Instance: Instance Deletion	Description	The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.

ID	Data source and component	Description
DS0030	Instance: Instance Metadata	Periodically baseline instances to identify malicious modifications or additions.
DS0030	Instance: Instance Deletion	The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

ID	M1047	Name	Audit	Description	Routinely check user permissions to ensure only the expected users have the capability to delete new instances.

ID	Name	Description
M1018	User Account Management	Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.
M1047	Audit	Routinely check user permissions to ensure only the expected users have the capability to delete new instances.