Skip to content

Hide Navigation Hide TOC

Volume Deletion (3acecdde-c327-4498-9bb8-33a2e63c6c57)

The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.

Data Collection Measures:

  • Cloud Logging & APIs
    • AWS CloudTrail Logs
      • eventName: DeleteVolume (tracks volume deletions)
    • Azure Monitor Logs
      • operationName: Microsoft.Compute/disks/delete
      • status: Success | Failure (flag unauthorized delete attempts)
    • Google Cloud Audit Logs
      • protoPayload.methodName: "v1.compute.disks.delete"
      • authenticationInfo.principalEmail (identifies the user deleting the volume)
  • System & Host-Based Logging
    • Linux & macOS Logs:
      • /var/log/syslog or /var/log/messages for volume detach/deletion actions
    • Windows Event Logs:
      • Event ID 98 (Storage Class Memory)
      • Event ID 225 (Volume Removal Detected)
      • Event ID 12 (Disk Removal Notification)
Cluster A Galaxy A Cluster B Galaxy B Level
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Volume Deletion (3acecdde-c327-4498-9bb8-33a2e63c6c57) mitre-data-component 1
Volume Deletion (3acecdde-c327-4498-9bb8-33a2e63c6c57) mitre-data-component Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1