Detect Revert Cloud Instance in CrowdStrike LogScale
An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.004 Revert Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/004/
LogScale Detection Query
#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
* => RiskScore := "Low";
}
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)CrowdStrike LogScale (Falcon) CQL detection for Revert Cloud Instance. Detects cloud instance revert operations across Azure and AWS that may indicate an adversary restoring a VM or disk to a pre-attack state to destroy forensic evidence. Monitors Azure disk and restore
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud administrators performing routine snapshot and backup operations
- Automated DR and backup solutions creating scheduled cloud instance snapshots
- DevOps CI/CD pipelines that create and destroy cloud instances during deployments
- Authorized cloud migration projects moving or replicating compute instances
Other platforms for T1578.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Stop and Start Instance (Ephemeral Storage Reset)
Expected signal: AWS CloudTrail: Two events in close sequence — `eventName=StopInstances` with `requestParameters.instancesSet.items[0].instanceId=<instance-id>`, followed by `eventName=StartInstances` for the same instance ID. Both events include `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `errorCode` (empty on success). `requestParameters` contains the instance ID in the `instancesSet` structure.
- Test 2AWS EBS Volume Restore from Snapshot (Disk Revert)
Expected signal: AWS CloudTrail: `eventName=CreateVolume` with `requestParameters.snapshotId=<snapshot-id>` (volume created from snapshot), followed by `eventName=AttachVolume` with `requestParameters.volumeId=<volume-id>` and `requestParameters.instanceId=<instance-id>`. Both events record `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, and `eventTime`. The `CreateVolume` event's `responseElements` will contain the new `volumeId` matching the `AttachVolume` request.
- Test 3Azure Managed Disk Creation from Snapshot
Expected signal: Azure Activity Logs: `operationName=Microsoft.Compute/disks/write` with HTTP status 201 (Created). The `properties` field contains `creationData.createOption=Copy` and `creationData.sourceResourceId` pointing to the snapshot resource ID. Event includes `caller` (Azure AD principal UPN or service principal ID), `callerIpAddress`, `resourceId` (new disk ARM ID), `resourceGroup`, `subscriptionId`, and `correlationId`. If VM disk swap follows, additional `Microsoft.Compute/virtualMachines/write`, deallocate, and start operations appear.
- Test 4AWS AMI Registration from Snapshot (Instance Replacement Revert)
Expected signal: AWS CloudTrail: `eventName=RegisterImage` with `requestParameters.blockDeviceMapping` array containing an entry with `snapshotId=<snapshot-id>` and `deviceName=/dev/xvda`. Event records `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `responseElements.imageId` (the new AMI ID). If a subsequent `RunInstances` call uses this AMI, the `requestParameters.imageId` in that event will match the registered AMI ID.
References (15)
- https://attack.mitre.org/techniques/T1578/004/
- https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
- https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-volumes.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/snapshot-copy-managed-disk
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.004/T1578.004.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html
- https://learn.microsoft.com/en-us/rest/api/compute/disks/create-or-update
Unlock Pro Content
Get the full detection package for T1578.004 including response playbook, investigation guide, and atomic red team tests.