| ID | Name |
|---|---|
| ATAGS-T1101.001 | Create Cloud Instance |
| ATAGS-T1101.002 | Create Snapshot |
| ATAGS-T1101.003 | Delete Cloud Instance |
| ATAGS-T1101.004 | Modify Cloud Compute Configurations |
| ATAGS-T1101.005 | Revert Cloud Instance |
Threat Actors may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.