Skip to content

Hide Navigation Hide TOC

Instance Deletion (7561ed50-16cb-4826-82c7-c1ddca61785e)

Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:

  • AWS: instance deletion involves the TerminateInstances API call, which is recorded in CloudTrail logs.
  • Azure: VM deletion can be monitored via Azure Activity Logs, showing the Microsoft.Compute/virtualMachines/delete operation.
  • GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs.

*Data Collection Measures:

  • AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
  • Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
  • GCP Audit Logs: Logs Explorer or BigQuery.
Cluster A Galaxy A Cluster B Galaxy B Level
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern Instance Deletion (7561ed50-16cb-4826-82c7-c1ddca61785e) mitre-data-component 1
Instance Deletion (7561ed50-16cb-4826-82c7-c1ddca61785e) mitre-data-component Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1
Instance Deletion (7561ed50-16cb-4826-82c7-c1ddca61785e) mitre-data-component Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 1
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 2