Which SIEM platforms have a T1578.004 detection rule?

df00tech provides T1578.004 (Revert Cloud Instance) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Revert Cloud Instance (T1578.004)?

Detecting Revert Cloud Instance requires the following data sources: Cloud Service: Cloud Service Modification, Instance: Instance Stop, Instance: Instance Start, Snapshot: Snapshot Modification, Azure Activity Logs, AWS CloudTrail.

What severity and confidence is the T1578.004 detection?

The T1578.004 detection is rated high severity with medium confidence.

What are common false positives for T1578.004?

Common false positives for T1578.004 include: Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket; Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills; Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines.

T1578.004 IBM QRadar · QRadar

Detect Revert Cloud Instance in IBM QRadar

An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1578 Modify Cloud Compute Infrastructure
Sub-technique: T1578.004 Revert Cloud Instance
Canonical reference: https://attack.mitre.org/techniques/T1578/004/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

high severity medium confidence

QRadar AQL detection for Revert Cloud Instance. Detects cloud instance revert operations across Azure and AWS that may indicate an adversary restoring a VM or disk to a pre-attack state to destroy forensic evidence. Monitors Azure disk and restore

Data Sources

Azure Activity LogsAWS CloudTrail

Required Tables

events

False Positives & Tuning

Authorized cloud administrators performing snapshot and backup operations
Automated DR solutions creating scheduled cloud instance snapshots
DevOps pipelines creating and deleting instances as part of CI/CD
Authorized infrastructure scaling or migration events

Download portable Sigma rule (.yml)

Other platforms for T1578.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AWS EC2 Stop and Start Instance (Ephemeral Storage Reset)
Expected signal: AWS CloudTrail: Two events in close sequence — `eventName=StopInstances` with `requestParameters.instancesSet.items[0].instanceId=<instance-id>`, followed by `eventName=StartInstances` for the same instance ID. Both events include `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `errorCode` (empty on success). `requestParameters` contains the instance ID in the `instancesSet` structure.
Test 2AWS EBS Volume Restore from Snapshot (Disk Revert)
Expected signal: AWS CloudTrail: `eventName=CreateVolume` with `requestParameters.snapshotId=<snapshot-id>` (volume created from snapshot), followed by `eventName=AttachVolume` with `requestParameters.volumeId=<volume-id>` and `requestParameters.instanceId=<instance-id>`. Both events record `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, and `eventTime`. The `CreateVolume` event's `responseElements` will contain the new `volumeId` matching the `AttachVolume` request.
Test 3Azure Managed Disk Creation from Snapshot
Expected signal: Azure Activity Logs: `operationName=Microsoft.Compute/disks/write` with HTTP status 201 (Created). The `properties` field contains `creationData.createOption=Copy` and `creationData.sourceResourceId` pointing to the snapshot resource ID. Event includes `caller` (Azure AD principal UPN or service principal ID), `callerIpAddress`, `resourceId` (new disk ARM ID), `resourceGroup`, `subscriptionId`, and `correlationId`. If VM disk swap follows, additional `Microsoft.Compute/virtualMachines/write`, deallocate, and start operations appear.
Test 4AWS AMI Registration from Snapshot (Instance Replacement Revert)
Expected signal: AWS CloudTrail: `eventName=RegisterImage` with `requestParameters.blockDeviceMapping` array containing an entry with `snapshotId=<snapshot-id>` and `deviceName=/dev/xvda`. Event records `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `responseElements.imageId` (the new AMI ID). If a subsequent `RunInstances` call uses this AMI, the `requestParameters.imageId` in that event will match the registered AMI ID.

Last updated: 2026-03-13 Research depth: deep

References (15)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1578.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Revert Cloud Instance in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1578.004

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1578.004

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox