Detect Revert Cloud Instance in Splunk
An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.004 Revert Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/004/
SPL Detection Query
(index=aws sourcetype="aws:cloudtrail"
(eventName="ImportSnapshot" OR eventName="RestoreSnapshotTier" OR eventName="CreateRestoreImageTask"
OR eventName="CopySnapshot" OR eventName="RegisterImage"
OR eventName="AttachVolume" OR eventName="ModifyVolume"
OR eventName="StopInstances" OR eventName="StartInstances"
OR eventName="RunInstances")
errorCode=""
| eval CloudProvider="AWS"
| eval ActorIdentity='userIdentity.arn'
| eval Operation=eventName
| eval TargetResource=coalesce('requestParameters.volumeId','requestParameters.instanceId','requestParameters.imageId',"unknown")
| eval SourceIP=sourceIPAddress
| eval IsSnapshotRestore=if(match(eventName,"(?i)(snapshot|RestoreImage|RegisterImage|ImportSnapshot|CopySnapshot|RestoreSnapshotTier|CreateRestoreImageTask)"),1,0)
| eval IsEphemeralReset=if(eventName="StopInstances" OR eventName="StartInstances",1,0)
| eval SuspicionScore=IsSnapshotRestore+IsEphemeralReset)
OR
(index=azure sourcetype="mscs:azure:eventhub"
(operationName="MICROSOFT.COMPUTE/DISKS/WRITE"
OR operationName="MICROSOFT.COMPUTE/RESTOREPOINTS/WRITE"
OR operationName="MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/WRITE"
OR operationName="MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPFABRICS/PROTECTIONCONTAINERS/PROTECTEDITEMS/RECOVERY/ACTION"
OR operationName="MICROSOFT.COMPUTE/VIRTUALMACHINES/CAPTURE/ACTION")
status.value="Succeeded"
| eval CloudProvider="Azure"
| eval ActorIdentity=caller
| eval Operation=operationName
| eval TargetResource=resourceId
| eval SourceIP=callerIpAddress
| eval IsSnapshotRestore=if(match(_raw,"(?i)(snapshot|restorePoint|diskRestorePoint|creationData|\"Copy\")"),1,0)
| eval IsEphemeralReset=0
| eval SuspicionScore=IsSnapshotRestore)
| where SuspicionScore > 0
| table _time, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, IsSnapshotRestore, IsEphemeralReset, SuspicionScore
| sort - _timeDetects cloud instance revert operations via AWS CloudTrail and Azure Activity logs in Splunk. Monitors AWS snapshot import, tier restore, image registration from snapshot, volume attachment, and instance stop-start cycles alongside Azure disk/restore point write operations and Azure Backup recovery actions. Assigns a suspicion score based on operation type to help prioritize alerts — score of 1 warrants review, score of 2 warrants immediate escalation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket
- Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills
- Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines
- Patch rollback procedures reverting instances after a failed software update or breaking configuration change
- Chaos engineering or resilience testing platforms (e.g., AWS Fault Injection Simulator, Azure Chaos Studio) that deliberately stop and restart instances
Other platforms for T1578.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Stop and Start Instance (Ephemeral Storage Reset)
Expected signal: AWS CloudTrail: Two events in close sequence — `eventName=StopInstances` with `requestParameters.instancesSet.items[0].instanceId=<instance-id>`, followed by `eventName=StartInstances` for the same instance ID. Both events include `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `errorCode` (empty on success). `requestParameters` contains the instance ID in the `instancesSet` structure.
- Test 2AWS EBS Volume Restore from Snapshot (Disk Revert)
Expected signal: AWS CloudTrail: `eventName=CreateVolume` with `requestParameters.snapshotId=<snapshot-id>` (volume created from snapshot), followed by `eventName=AttachVolume` with `requestParameters.volumeId=<volume-id>` and `requestParameters.instanceId=<instance-id>`. Both events record `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, and `eventTime`. The `CreateVolume` event's `responseElements` will contain the new `volumeId` matching the `AttachVolume` request.
- Test 3Azure Managed Disk Creation from Snapshot
Expected signal: Azure Activity Logs: `operationName=Microsoft.Compute/disks/write` with HTTP status 201 (Created). The `properties` field contains `creationData.createOption=Copy` and `creationData.sourceResourceId` pointing to the snapshot resource ID. Event includes `caller` (Azure AD principal UPN or service principal ID), `callerIpAddress`, `resourceId` (new disk ARM ID), `resourceGroup`, `subscriptionId`, and `correlationId`. If VM disk swap follows, additional `Microsoft.Compute/virtualMachines/write`, deallocate, and start operations appear.
- Test 4AWS AMI Registration from Snapshot (Instance Replacement Revert)
Expected signal: AWS CloudTrail: `eventName=RegisterImage` with `requestParameters.blockDeviceMapping` array containing an entry with `snapshotId=<snapshot-id>` and `deviceName=/dev/xvda`. Event records `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `responseElements.imageId` (the new AMI ID). If a subsequent `RunInstances` call uses this AMI, the `requestParameters.imageId` in that event will match the registered AMI ID.
References (15)
- https://attack.mitre.org/techniques/T1578/004/
- https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
- https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-volumes.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/snapshot-copy-managed-disk
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.004/T1578.004.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html
- https://learn.microsoft.com/en-us/rest/api/compute/disks/create-or-update
Unlock Pro Content
Get the full detection package for T1578.004 including response playbook, investigation guide, and atomic red team tests.