Detect Delete Cloud Instance in Sumo Logic CSE
An adversary may delete a cloud instance after performing malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can eliminate forensic artifacts including memory contents, running processes, local logs, and volatile state that would otherwise be available for incident response. Adversaries such as LAPSUS$ have deleted target cloud resources to trigger incident response processes and maximize disruption, while ransomware operators like Storm-0501 conduct mass deletion of Azure resources across subscriptions. The technique may be combined with T1578.002 (Create Cloud Instance) where adversaries spin up ephemeral instances for malicious work, then delete them upon completion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.003 Delete Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/003/
Sumo Detection Query
_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount descSumo Logic detection for Delete Cloud Instance. Detects cloud instance deletion events across Azure (via AzureActivity) and AWS (via AWSCloudTrail) in Microsoft Sentinel. Covers Azure VM, VMSS, and AKS cluster deletions alongside AWS EC2 TerminateI
Data Sources
Required Tables
False Positives & Tuning
- Cloud administrators creating authorized snapshots for backup or migration
- Automated disaster recovery systems creating scheduled cloud snapshots
- DevOps pipelines creating and deleting compute instances as part of CI/CD
- Authorized cloud infrastructure migrations between regions or accounts
Other platforms for T1578.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Termination via CLI
Expected signal: AWS CloudTrail: EventName=TerminateInstances with RequestParameters containing instancesSet.items[].instanceId. UserIdentity will contain the caller's ARN, userAgent will show 'aws-cli', and sourceIPAddress will show the test machine's IP. ResponseElements will confirm state transition from 'running' to 'shutting-down'. Event appears in CloudTrail within 5-15 minutes.
- Test 2AWS Bulk EC2 Termination — Mass Deletion Pattern
Expected signal: AWS CloudTrail: Single TerminateInstances event with RequestParameters.instancesSet.items containing 5 instance IDs. The bulk nature triggers the high-count hunting query. UserIdentity, sourceIPAddress, and awsRegion fields present. The SPL query InstanceCount field will show 5, triggering BulkDelete classification and elevated SuspicionScore.
- Test 3Azure VM Deletion via Azure CLI
Expected signal: Azure Activity Log: OperationNameValue=Microsoft.Compute/virtualMachines/delete, ActivityStatusValue=Accepted then Succeeded (two events). Caller field contains the authenticated user's UPN or service principal ID. ResourceId contains the full VM resource path. Events appear in Azure Monitor Activity Log within 1-5 minutes and flow to Log Analytics/Sentinel within 5-15 minutes.
- Test 4AWS Bypass Termination Protection Then Terminate
Expected signal: AWS CloudTrail Event 1: EventName=ModifyInstanceAttribute with RequestParameters.attribute=disableApiTermination and RequestParameters.value=false. AWS CloudTrail Event 2: EventName=TerminateInstances with the same instance ID and caller identity. Both events share the same UserIdentityArn and sourceIPAddress. The sequence within minutes is the high-fidelity indicator. A correlation rule matching ModifyInstanceAttribute(disableApiTermination=false) followed by TerminateInstances from the same ARN within 10 minutes should fire at Critical severity.
References (10)
- https://attack.mitre.org/techniques/T1578/003/
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
- https://cloud.google.com/logging/docs/audit#admin-activity
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
- https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.microsoft.com/en-us/security/blog/2025/08/01/storm-0501-ransomware-attacks-expanding-to-cloud-environments/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.003/T1578.003.md
Unlock Pro Content
Get the full detection package for T1578.003 including response playbook, investigation guide, and atomic red team tests.