Detect Revert Cloud Instance in Sumo Logic CSE
An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.004 Revert Cloud Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1578/004/
Sumo Detection Query
_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount descSumo Logic detection for Revert Cloud Instance. Detects cloud instance revert operations across Azure and AWS that may indicate an adversary restoring a VM or disk to a pre-attack state to destroy forensic evidence. Monitors Azure disk and restore
Data Sources
Required Tables
False Positives & Tuning
- Cloud administrators creating authorized snapshots for backup or migration
- Automated disaster recovery systems creating scheduled cloud snapshots
- DevOps pipelines creating and deleting compute instances as part of CI/CD
- Authorized cloud infrastructure migrations between regions or accounts
Other platforms for T1578.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Stop and Start Instance (Ephemeral Storage Reset)
Expected signal: AWS CloudTrail: Two events in close sequence — `eventName=StopInstances` with `requestParameters.instancesSet.items[0].instanceId=<instance-id>`, followed by `eventName=StartInstances` for the same instance ID. Both events include `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `errorCode` (empty on success). `requestParameters` contains the instance ID in the `instancesSet` structure.
- Test 2AWS EBS Volume Restore from Snapshot (Disk Revert)
Expected signal: AWS CloudTrail: `eventName=CreateVolume` with `requestParameters.snapshotId=<snapshot-id>` (volume created from snapshot), followed by `eventName=AttachVolume` with `requestParameters.volumeId=<volume-id>` and `requestParameters.instanceId=<instance-id>`. Both events record `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, and `eventTime`. The `CreateVolume` event's `responseElements` will contain the new `volumeId` matching the `AttachVolume` request.
- Test 3Azure Managed Disk Creation from Snapshot
Expected signal: Azure Activity Logs: `operationName=Microsoft.Compute/disks/write` with HTTP status 201 (Created). The `properties` field contains `creationData.createOption=Copy` and `creationData.sourceResourceId` pointing to the snapshot resource ID. Event includes `caller` (Azure AD principal UPN or service principal ID), `callerIpAddress`, `resourceId` (new disk ARM ID), `resourceGroup`, `subscriptionId`, and `correlationId`. If VM disk swap follows, additional `Microsoft.Compute/virtualMachines/write`, deallocate, and start operations appear.
- Test 4AWS AMI Registration from Snapshot (Instance Replacement Revert)
Expected signal: AWS CloudTrail: `eventName=RegisterImage` with `requestParameters.blockDeviceMapping` array containing an entry with `snapshotId=<snapshot-id>` and `deviceName=/dev/xvda`. Event records `userIdentity.arn`, `sourceIPAddress`, `awsRegion`, `eventTime`, and `responseElements.imageId` (the new AMI ID). If a subsequent `RunInstances` call uses this AMI, the `requestParameters.imageId` in that event will match the registered AMI ID.
References (15)
- https://attack.mitre.org/techniques/T1578/004/
- https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
- https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-volumes.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
- https://learn.microsoft.com/en-us/azure/virtual-machines/snapshot-copy-managed-disk
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.004/T1578.004.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html
- https://learn.microsoft.com/en-us/rest/api/compute/disks/create-or-update
Unlock Pro Content
Get the full detection package for T1578.004 including response playbook, investigation guide, and atomic red team tests.