MITRE ATT&CK Technique
Defense Evasion T1578.003
Description

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

Supported Platforms
IaaS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-06-16T17:23:06.508Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'An adversary may delete a cloud instance after they have '
                'performed malicious activities in an attempt to evade '
                'detection and remove evidence of their presence.  Deleting an '
                'instance or virtual machine can remove valuable forensic '
                'artifacts and other evidence of suspicious behavior if the '
                'instance is not recoverable.\n'
                '\n'
                'An adversary may also [Create Cloud '
                'Instance](https://attack.mitre.org/techniques/T1578/002) and '
                'later terminate the instance after achieving their '
                'objectives.(Citation: Mandiant M-Trends 2020)',
 'external_references': [{'external_id': 'T1578.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1578/003'},
                         {'description': 'Amazon. (n.d.). Search CloudTrail '
                                         'logs for API calls to EC2 Instances. '
                                         'Retrieved June 17, 2020.',
                          'source_name': 'AWS CloudTrail Search',
                          'url': 'https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/'},
                         {'description': 'Google. (n.d.). Audit Logs. '
                                         'Retrieved June 1, 2020.',
                          'source_name': 'Cloud Audit Logs',
                          'url': 'https://cloud.google.com/logging/docs/audit#admin-activity'},
                         {'description': 'Mandiant. (2020, February). M-Trends '
                                         '2020. Retrieved November 17, 2024.',
                          'source_name': 'Mandiant M-Trends 2020',
                          'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'},
                         {'description': 'Microsoft. (n.d.). View Azure '
                                         'activity logs. Retrieved June 17, '
                                         '2020.',
                          'source_name': 'Azure Activity Logs',
                          'url': 'https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs'}],
 'id': 'attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:56.705Z',
 'name': 'Delete Cloud Instance',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Arun Seelagan, CISA'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['IaaS'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (2)
LAPSUS$
High
Storm-0501
High
Back to TTPs
Dashboard About