- Tactics
- defense-impairment
- Platforms
- IaaS
- Reference
- attack.mitre.org/techniques/T1578.004
Description
An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the defense-impairment tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1112 — Modify Registry
- T1207 — Rogue Domain Controller
- T1222 — File and Directory Permissions Modification
- T1484 — Domain or Tenant Policy Modification
- T1553 — Subvert Trust Controls
- T1556 — Modify Authentication Process
- T1578 — Modify Cloud Compute Infrastructure
- T1599 — Network Boundary Bridging
- T1600 — Weaken Encryption
- T1601 — Modify System Image
- T1647 — Plist File Modification
- T1666 — Modify Cloud Resource Hierarchy