| ID | Name |
|---|---|
| ATAGS-T1101.001 | Create Cloud Instance |
| ATAGS-T1101.002 | Create Snapshot |
| ATAGS-T1101.003 | Delete Cloud Instance |
| ATAGS-T1101.004 | Modify Cloud Compute Configurations |
| ATAGS-T1101.005 | Revert Cloud Instance |
Threat Actors may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.