TerminateInstances
Event
Permanently terminates one or more EC2 instances, releasing instance store data and associated resources.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Impact Defense Evasion
Techniques:
- T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...