Detect Delete Cloud Instance in Google Chronicle
An adversary may delete a cloud instance after performing malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can eliminate forensic artifacts including memory contents, running processes, local logs, and volatile state that would otherwise be available for incident response. Adversaries such as LAPSUS$ have deleted target cloud resources to trigger incident response processes and maximize disruption, while ransomware operators like Storm-0501 conduct mass deletion of Azure resources across subscriptions. The technique may be combined with T1578.002 (Create Cloud Instance) where adversaries spin up ephemeral instances for malicious work, then delete them upon completion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.003 Delete Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/003/
YARA-L Detection Query
rule T1578_003_cloud_infra_modification {
meta:
author = "Detection Engineering"
description = "Detects suspicious cloud infrastructure modifications"
severity = "high"
confidence = "medium"
mitre_attack = "T1578.003"
reference = "https://attack.mitre.org/techniques/T1578/003/"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Delete Cloud Instance. Detects cloud instance deletion events across Azure (via AzureActivity) and AWS (via AWSCloudTrail) in Microsoft Sentinel. Covers Azure VM, VMSS, and AKS cluster deletions alongside AWS EC2 TerminateI
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud administrators performing scheduled backup snapshot creation
- Automated disaster recovery solutions creating routine cloud instance snapshots
- DevOps CI/CD pipelines creating and deleting compute instances during deployments
- Authorized cloud migration projects moving instances between regions
Other platforms for T1578.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Termination via CLI
Expected signal: AWS CloudTrail: EventName=TerminateInstances with RequestParameters containing instancesSet.items[].instanceId. UserIdentity will contain the caller's ARN, userAgent will show 'aws-cli', and sourceIPAddress will show the test machine's IP. ResponseElements will confirm state transition from 'running' to 'shutting-down'. Event appears in CloudTrail within 5-15 minutes.
- Test 2AWS Bulk EC2 Termination — Mass Deletion Pattern
Expected signal: AWS CloudTrail: Single TerminateInstances event with RequestParameters.instancesSet.items containing 5 instance IDs. The bulk nature triggers the high-count hunting query. UserIdentity, sourceIPAddress, and awsRegion fields present. The SPL query InstanceCount field will show 5, triggering BulkDelete classification and elevated SuspicionScore.
- Test 3Azure VM Deletion via Azure CLI
Expected signal: Azure Activity Log: OperationNameValue=Microsoft.Compute/virtualMachines/delete, ActivityStatusValue=Accepted then Succeeded (two events). Caller field contains the authenticated user's UPN or service principal ID. ResourceId contains the full VM resource path. Events appear in Azure Monitor Activity Log within 1-5 minutes and flow to Log Analytics/Sentinel within 5-15 minutes.
- Test 4AWS Bypass Termination Protection Then Terminate
Expected signal: AWS CloudTrail Event 1: EventName=ModifyInstanceAttribute with RequestParameters.attribute=disableApiTermination and RequestParameters.value=false. AWS CloudTrail Event 2: EventName=TerminateInstances with the same instance ID and caller identity. Both events share the same UserIdentityArn and sourceIPAddress. The sequence within minutes is the high-fidelity indicator. A correlation rule matching ModifyInstanceAttribute(disableApiTermination=false) followed by TerminateInstances from the same ARN within 10 minutes should fire at Critical severity.
References (10)
- https://attack.mitre.org/techniques/T1578/003/
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.microsoft.com/en-us/security/blog/2025/08/01/storm-0501-ransomware-attacks-expanding-to-cloud-environments/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.003/T1578.003.md
Unlock Pro Content
Get the full detection package for T1578.003 including response playbook, investigation guide, and atomic red team tests.