title: Revert Cloud Instance (T1578.004)
id: df00tech-t1578-004
status: experimental
description: "An adversary may revert changes made to a cloud instance after performing malicious activities to evade detection and remove evidence of their presence. In highly virtualized cloud environments, this may be accomplished by restoring virtual machine or data storage snapshots through the cloud management dashboard or cloud APIs. Adversaries may also leverage temporary ephemeral storage attached to compute instances, which resets upon instance stop/restart, to avoid leaving persistent forensic artifacts on disk. This technique is commonly used as a final step in a cloud intrusion: exfiltrate data, perform lateral movement, then restore the instance to a pre-attack snapshot to destroy forensic evidence of the compromise."
references:
  - https://attack.mitre.org/techniques/T1578/004/
  - https://df00tech.com/detections/T1578.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1578.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket
  - Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills
  - Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines
  - Patch rollback procedures reverting instances after a failed software update or breaking configuration change
  - "Chaos engineering or resilience testing platforms (e.g., AWS Fault Injection Simulator, Azure Chaos Studio) that deliberately stop and restart instances"
level: high