Image Deletion (8b4ca854-ac08-47da-b24f-601b28a39aff)
Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:
- Azure Compute Service Image Deletion
- Example: Deleting a virtual machine image using Azure CLI:
az image delete --name MyImage --resource-group MyResourceGroup
- Example: Deleting a virtual machine image using Azure CLI:
- AWS EC2 AMI (Amazon Machine Image) Deletion
- Example: Deregistering an AMI in AWS:
aws ec2 deregister-image --image-id ami-1234567890abcdef0
- Example: Deregistering an AMI in AWS:
- Google Cloud Compute Engine Image Deletion
- Example: Deleting a custom image in Google Cloud:
gcloud compute images delete my-custom-image
- Example: Deleting a custom image in Google Cloud:
- VMware vSphere
- Example: Deleting a VM image/template from a vSphere environment:
This data component can be collected through the following measures:
Enable Cloud Platform Logging
- Azure: Enable "Activity Logs" to capture DELETE requests to
Microsoft.Compute/images. - AWS: Use AWS CloudTrail to monitor
DeregisterImageorDeleteSnapshotAPI calls. - Google Cloud: Enable "Cloud Audit Logs" to track image deletion events under
compute.googleapis.com/images.
API Monitoring
- Monitor API activity to track the deletion of images using:
- AWS SDK/CLI
DeregisterImageorDeleteSnapshot. - Azure REST API DELETE operations for images.
- Google Cloud Compute Engine APIs for image deletion.
- AWS SDK/CLI
Cloud SIEM Integration
- Ingest logs into a centralized SIEM platform for monitoring and alerting:
Event Correlation
- Correlate image deletion events with unusual account activity or concurrent unauthorized operations.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) | Attack Pattern | Image Deletion (8b4ca854-ac08-47da-b24f-601b28a39aff) | mitre-data-component | 1 |