title: Delete Cloud Instance (T1578.003)
id: df00tech-t1578-003
status: experimental
description: "An adversary may delete a cloud instance after performing malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can eliminate forensic artifacts including memory contents, running processes, local logs, and volatile state that would otherwise be available for incident response. Adversaries such as LAPSUS$ have deleted target cloud resources to trigger incident response processes and maximize disruption, while ransomware operators like Storm-0501 conduct mass deletion of Azure resources across subscriptions. The technique may be combined with T1578.002 (Create Cloud Instance) where adversaries spin up ephemeral instances for malicious work, then delete them upon completion."
references:
  - https://attack.mitre.org/techniques/T1578/003/
  - https://df00tech.com/detections/T1578.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1578.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Auto-scaling scale-in events where the cloud platform terminates instances to reduce capacity based on policy
  - "Infrastructure as Code (Terraform, Pulumi, CloudFormation) teardown operations during legitimate environment decommissioning"
  - DevOps CI/CD pipeline cleanup jobs that destroy ephemeral test or staging environments after pipeline completion
  - "Cloud cost optimization scripts (AWS Instance Scheduler, Azure DevTest Labs auto-shutdown) deleting idle instances on schedule"
  - Spot instance / preemptible VM reclamation by the cloud provider (appears as TerminateInstances from platform service roles)
level: high