Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0953: Analytic 0953

Defenders can detect suspicious reversion of cloud compute instances by monitoring for unusual snapshot restores, rollback actions, or ephemeral storage resets that occur outside expected administrative workflows. From a defender’s perspective, relevant detection chains include: a snapshot restore triggered by a new or rarely used account, a sequence of snapshot creation immediately followed by a restore and instance start, or rollbacks performed from anomalous geographic or network locations. These patterns may indicate attempts to remove forensic evidence or re-establish a clean execution state for persistence.

EnterpriseAN0953AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because reverting cloud compute instances from snapshots or rollbacks can change the state of systems that investigators, SOC teams, and business owners rely on during an incident. In an IaaS environment, unusual restores or storage resets outside normal admin workflows may indicate an attempt to erase evidence or return an instance to a known state. Leaders should treat this as both a cloud security and incident response readiness question: can the organization prove who restored what, from where, and why?

Executive priority

Prioritize this where cloud compute supports critical services, regulated workloads, or incident response evidence collection. The business decision value is validating whether cloud change governance, identity controls, and logging can distinguish approved recovery activity from suspicious rollback behavior. This also supports audit and compliance evidence around administrative accountability and change traceability.

Technical view

For SOC and detection engineering teams, validate monitoring for IaaS snapshot restores, rollback actions, ephemeral storage resets, instance starts following restores, and snapshot creation followed quickly by restore activity. Pay particular attention to restores triggered by new or rarely used accounts, activity from anomalous geographic or network locations, and actions outside expected administrative workflows. Because ATT&CK does not provide a separate detection implementation here, local cloud audit logs, identity context, network location baselines, and approved change windows are essential for making this analytic actionable.

Likely telemetry

  • Cloud control-plane audit logs for snapshot restore, rollback, storage reset, and instance start actions
  • Cloud identity and access records showing the account, role, or principal performing the action
  • Snapshot lifecycle events, including creation time and restore time
  • Instance state-change events before and after restore activity
  • Source network, geographic, or session context for administrative actions

Detection direction

  • Baseline normal snapshot restore and rollback workflows for IaaS administrators and automation accounts.
  • Alert on snapshot restore or rollback actions by new, rare, or unexpected accounts, especially when followed by instance start events.
  • Correlate rapid snapshot creation followed by restore activity, as this sequence is specifically highlighted in the analytic description.
  • Compare source geography and network location against normal administrative access patterns.
  • Tune for legitimate disaster recovery, patch rollback, backup validation, and maintenance operations to reduce false positives.

Mitigation priorities

  • Ensure cloud administrative actions are logged with sufficient identity, time, resource, and source-location detail.
  • Restrict snapshot restore and rollback permissions to approved roles and workflows.
  • Require change-management linkage or documented approval for production instance restores where feasible.
  • Review rarely used accounts and automation identities that can perform restore or rollback actions.
  • Retain cloud audit logs long enough to support incident response investigations involving possible evidence removal or state reversion.
Analyst notes and limits

This is a detection analytic for IaaS environments focused on suspicious cloud compute instance reversion. The most useful implementation will come from correlating cloud control-plane events with identity baselines, source-location context, and expected administrative workflows. Glexia would frame this as a managed detection, cloud security, IAM, and IR-readiness validation item rather than a standalone indicator of compromise.

The supplied ATT&CK object has no official detection text beyond the description, no tactics, and no relationship context. It does not identify a specific cloud provider, adversary, campaign, or technique relationship. Local environment baselines and change records are required to separate suspicious behavior from legitimate recovery or maintenance activity.

Official MITRE ATT&CK definition

Analytic 0953

Defenders can detect suspicious reversion of cloud compute instances by monitoring for unusual snapshot restores, rollback actions, or ephemeral storage resets that occur outside expected administrative workflows. From a defender’s perspective, relevant detection chains include: a snapshot restore triggered by a new or rarely used account, a sequence of snapshot creation immediately followed by a restore and instance start, or rollbacks performed from anomalous geographic or network locations. These patterns may indicate attempts to remove forensic evidence or re-establish a clean execution state for persistence.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c41144ff2251f492...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c41144ff2251…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0953
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use