Detect Revert Cloud Instance in Microsoft Sentinel
An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.004 Revert Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/004/
KQL Detection Query
// Detect cloud instance snapshot revert operations (T1578.004)
// Covers Azure disk/VM restore operations and AWS snapshot-based recovery
let TimeWindow = 24h;
// Azure: Detect VM disk restore from snapshot, restore point operations, and VM recapture
let AzureRevertOps = AzureActivity
| where TimeGenerated > ago(TimeWindow)
| where OperationNameValue has_any (
"Microsoft.Compute/disks/write",
"Microsoft.Compute/restorePoints/write",
"Microsoft.Compute/restorePointCollections/write",
"Microsoft.Compute/virtualMachines/capture/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recovery/action"
)
| where ActivityStatusValue =~ "Success"
| where Properties_d has_any ("snapshot", "restorePoint", "diskRestorePoint", "creationData", "Copy", "Restore")
| extend CloudProvider = "Azure"
| extend ActorIdentity = Caller
| extend SourceIP = CallerIpAddress
| extend Operation = OperationNameValue
| extend TargetResource = _ResourceId
| project TimeGenerated, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, ResourceGroup, SubscriptionId;
// AWS: Detect EC2/EBS snapshot restore and instance revert operations via CloudTrail
let AWSRevertOps = AWSCloudTrail
| where TimeGenerated > ago(TimeWindow)
| where EventName in (
"ImportSnapshot",
"RestoreSnapshotTier",
"CreateRestoreImageTask",
"CopySnapshot",
"RegisterImage",
"RunInstances",
"AttachVolume",
"DetachVolume",
"ModifyVolume",
"StopInstances",
"StartInstances"
)
| where isempty(ErrorCode)
| extend CloudProvider = "AWS"
| extend ActorIdentity = UserIdentityArn
| extend SourceIP = SourceIpAddress
| extend Operation = EventName
| extend TargetResource = tostring(RequestParameters)
| project TimeGenerated, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, AWSRegion, RecipientAccountId;
// Union results and annotate operation type
AzureRevertOps
| union AWSRevertOps
| extend IsEphemeralReset = (Operation in ("StopInstances", "StartInstances"))
| extend IsSnapshotRestore = (Operation has_any ("snapshot", "Snapshot", "restorePoint", "RestoreImage", "RegisterImage", "ImportSnapshot", "CopySnapshot", "RestoreSnapshotTier", "CreateRestoreImageTask", "recovery"))
| sort by TimeGenerated descDetects cloud instance revert operations across Azure and AWS that may indicate an adversary restoring a VM or disk to a pre-attack state to destroy forensic evidence. Monitors Azure disk and restore point write operations with snapshot/restorePoint keywords in properties, Azure Backup recovery actions, AWS snapshot import/restore operations, and AWS instance stop-start cycles that reset ephemeral storage. Uses AzureActivity and AWSCloudTrail tables in Microsoft Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket
- Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills
- Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines
- Patch rollback procedures reverting instances after a failed software update or breaking configuration change
- Chaos engineering or resilience testing platforms (e.g., AWS Fault Injection Simulator, Azure Chaos Studio) that deliberately stop and restart instances
Other platforms for T1578.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Stop and Start Instance (Ephemeral Storage Reset)
Expected signal: AWS CloudTrail: Two events in close sequence — `eventName=StopInstances` with `requestParameters.instancesSet.items[0].instanceId=<instance-id>`, followed by `eventName=StartInstances` for the same instance ID. Both events include `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `errorCode` (empty on success). `requestParameters` contains the instance ID in the `instancesSet` structure.
- Test 2AWS EBS Volume Restore from Snapshot (Disk Revert)
Expected signal: AWS CloudTrail: `eventName=CreateVolume` with `requestParameters.snapshotId=<snapshot-id>` (volume created from snapshot), followed by `eventName=AttachVolume` with `requestParameters.volumeId=<volume-id>` and `requestParameters.instanceId=<instance-id>`. Both events record `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, and `eventTime`. The `CreateVolume` event's `responseElements` will contain the new `volumeId` matching the `AttachVolume` request.
- Test 3Azure Managed Disk Creation from Snapshot
Expected signal: Azure Activity Logs: `operationName=Microsoft.Compute/disks/write` with HTTP status 201 (Created). The `properties` field contains `creationData.createOption=Copy` and `creationData.sourceResourceId` pointing to the snapshot resource ID. Event includes `caller` (Azure AD principal UPN or service principal ID), `callerIpAddress`, `resourceId` (new disk ARM ID), `resourceGroup`, `subscriptionId`, and `correlationId`. If VM disk swap follows, additional `Microsoft.Compute/virtualMachines/write`, deallocate, and start operations appear.
- Test 4AWS AMI Registration from Snapshot (Instance Replacement Revert)
Expected signal: AWS CloudTrail: `eventName=RegisterImage` with `requestParameters.blockDeviceMapping` array containing an entry with `snapshotId=<snapshot-id>` and `deviceName=/dev/xvda`. Event records `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `responseElements.imageId` (the new AMI ID). If a subsequent `RunInstances` call uses this AMI, the `requestParameters.imageId` in that event will match the registered AMI ID.
References (15)
- https://attack.mitre.org/techniques/T1578/004/
- https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
- https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-volumes.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/snapshot-copy-managed-disk
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.004/T1578.004.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html
- https://learn.microsoft.com/en-us/rest/api/compute/disks/create-or-update
Unlock Pro Content
Get the full detection package for T1578.004 including response playbook, investigation guide, and atomic red team tests.