Which SIEM platforms have a T1535 detection rule?

df00tech provides T1535 (Unused/Unsupported Cloud Regions) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Unused/Unsupported Cloud Regions (T1535)?

Detecting Unused/Unsupported Cloud Regions requires the following data sources: Cloud: Cloud Infrastructure Modification, Cloud: Cloud Service, Azure Activity Logs, AWS CloudTrail.

What severity and confidence is the T1535 detection?

The T1535 detection is rated high severity with medium confidence.

What are common false positives for T1535?

Common false positives for T1535 include: Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region list has not been updated; Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking, compliance testing, or proof-of-concept work; Infrastructure-as-code automation pipelines (Terraform, CDK, ARM templates) deploying resources to new regions as part of an approved rollout where the change management process did not include updating detection allowlists.

T1535

Unused/Unsupported Cloud Regions

Defense Evasion Last updated: April 20, 2026

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.

What is T1535 Unused/Unsupported Cloud Regions?

Unused/Unsupported Cloud Regions (T1535) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Unused/Unsupported Cloud Regions, covering the data sources and telemetry it touches: Cloud: Cloud Infrastructure Modification, Cloud: Cloud Service, Azure Activity Logs, AWS CloudTrail. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1535 Unused/Unsupported Cloud Regions
Canonical reference: https://attack.mitre.org/techniques/T1535/

Microsoft Sentinel / Defender

kusto

// CONFIGURE: Update these lists to match your organization's approved/actively monitored cloud regions
let ApprovedAzureRegions = dynamic(["eastus", "eastus2", "westus", "westus2", "westeurope", "northeurope", "uksouth", "ukwest"]);
let ApprovedAWSRegions = dynamic(["us-east-1", "us-west-2", "eu-west-1", "eu-central-1"]);
//
// Azure: Detect successful resource creation in unapproved regions
let AzureUnusualRegion =
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue =~ "Succeeded"
| where OperationNameValue has_any (
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.ContainerService/managedClusters/write",
    "Microsoft.Storage/storageAccounts/write",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Sql/servers/write",
    "Microsoft.Web/sites/write",
    "Microsoft.KeyVault/vaults/write",
    "Microsoft.Resources/resourceGroups/write"
  )
| extend ResourceLocation = tolower(extract('"location":"([^"]+)"', 1, tostring(Properties)))
| where isnotempty(ResourceLocation)
| where ResourceLocation !in (ApprovedAzureRegions)
| project
    TimeGenerated,
    Caller,
    CallerIpAddress,
    OperationNameValue,
    ResourceLocation,
    ResourceGroup,
    SubscriptionId,
    CorrelationId,
    CloudProvider = "Azure";
//
// AWS: Detect successful resource creation events in unapproved regions
let AWSUnusualRegion =
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where isempty(ErrorCode)
| where EventName in~ (
    "RunInstances",
    "CreateBucket",
    "CreateCluster",
    "CreateFunction",
    "CreateDBInstance",
    "CreateDBCluster",
    "CreateVolume",
    "CreateVpc",
    "CreateUser",
    "CreateAccessKey",
    "CreateRole",
    "CreateStackInstances",
    "CreateSecret",
    "CreateKey"
  )
| where AWSRegion !in (ApprovedAWSRegions)
| project
    TimeGenerated,
    Caller = UserIdentityArn,
    CallerIpAddress = SourceIpAddress,
    OperationNameValue = EventName,
    ResourceLocation = AWSRegion,
    ResourceGroup = RecipientAccountId,
    SubscriptionId = RecipientAccountId,
    CorrelationId = EventTypeName,
    CloudProvider = "AWS";
//
union AzureUnusualRegion, AWSUnusualRegion
| extend RiskIndicators = pack_array(
    iff(CloudProvider == "AWS" and OperationNameValue in ("CreateUser", "CreateAccessKey", "CreateRole"), "IAM resource in unapproved region", ""),
    iff(OperationNameValue =~ "RunInstances" or OperationNameValue has "virtualMachines/write", "Compute instance in unapproved region", ""),
    iff(OperationNameValue =~ "CreateFunction", "Serverless function in unapproved region", "")
  )
| extend RiskIndicators = array_strcat(array_slice(RiskIndicators, 0, array_length(RiskIndicators)), ", ")
| sort by TimeGenerated desc

Detects successful cloud resource creation events in geographic regions not included in the organization's approved/monitored region list. Covers Azure (via AzureActivity) and AWS (via AWSCloudTrail) for compute, storage, networking, database, IAM, and serverless resource provisioning. The approved region dynamic lists MUST be customized to match your actual cloud footprint before deployment. Special attention is given to IAM and compute resources, which are most commonly abused for cryptomining and C2 staging in dormant regions.

high severity medium confidence

Data Sources

Cloud: Cloud Infrastructure Modification Cloud: Cloud Service Azure Activity Logs AWS CloudTrail

Required Tables

AzureActivity AWSCloudTrail

False Positives

Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region list has not been updated
Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking, compliance testing, or proof-of-concept work
Infrastructure-as-code automation pipelines (Terraform, CDK, ARM templates) deploying resources to new regions as part of an approved rollout where the change management process did not include updating detection allowlists
Third-party managed service providers, SaaS vendors, or cloud integrators creating resources on behalf of the organization in their operationally preferred regions
Disaster recovery failover events where standby infrastructure is legitimately activated in secondary regions

Splunk

spl

index=* (sourcetype="aws:cloudtrail" OR sourcetype="amazon:cloudtrail")
  (eventName="RunInstances" OR eventName="CreateBucket" OR eventName="CreateCluster"
   OR eventName="CreateFunction" OR eventName="CreateDBInstance" OR eventName="CreateDBCluster"
   OR eventName="CreateVolume" OR eventName="CreateVpc" OR eventName="CreateUser"
   OR eventName="CreateAccessKey" OR eventName="CreateRole" OR eventName="CreateSecret"
   OR eventName="CreateKey" OR eventName="CreateStackInstances")
  NOT errorCode=*
| eval ApprovedRegions="us-east-1,us-west-2,eu-west-1,eu-central-1"
| eval isApprovedRegion=if(match(awsRegion, "^(us-east-1|us-west-2|eu-west-1|eu-central-1)$"), 1, 0)
| where isApprovedRegion=0
| eval ActorType=coalesce('userIdentity.type', "Unknown")
| eval Actor=coalesce('userIdentity.arn', 'userIdentity.userName', "Unknown")
| eval IsRootAccount=if(ActorType="Root", 1, 0)
| eval IsAssumedRole=if(match(ActorType, "AssumedRole"), 1, 0)
| eval IsMachineIdentity=if(match(Actor, "(lambda|ec2|ecs|eks|codebuild|ssm)"), 1, 0)
| eval RiskScore=2
| eval RiskScore=RiskScore + if(IsRootAccount=1, 3, 0)
| eval RiskScore=RiskScore + if(eventName IN ("CreateUser", "CreateAccessKey", "CreateRole"), 3, 0)
| eval RiskScore=RiskScore + if(eventName="RunInstances", 2, 0)
| eval RiskScore=RiskScore + if(IsMachineIdentity=0 AND IsAssumedRole=0, 1, 0)
| table _time, awsRegion, eventName, Actor, ActorType, IsRootAccount, IsAssumedRole, sourceIPAddress, userAgent, recipientAccountId, RiskScore
| sort - RiskScore, - _time

Detects successful AWS CloudTrail resource creation events in regions not matching the organization's approved region list. Evaluates events across compute, storage, networking, database, serverless, and IAM categories. A risk score is calculated based on resource type sensitivity (IAM > compute > storage), identity type (root account usage is highest risk), and whether the caller is a human identity versus a machine role. Update the approved regions regex pattern to match your actual AWS footprint. For Azure cloud resources in Splunk, use sourcetype=mscs:azure:activity or azure:monitor:activity with equivalent logic.

high severity medium confidence

Data Sources

Cloud: Cloud Infrastructure Modification Cloud: Cloud Service AWS CloudTrail

Required Sourcetypes

aws:cloudtrail amazon:cloudtrail

False Positives

Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region regex has not been updated
Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking or compliance testing
Infrastructure-as-code automation pipelines deploying resources to new regions during an approved rollout without corresponding detection rule updates
Third-party managed service providers or SaaS vendors creating resources in their operationally preferred regions on behalf of the organization
Machine identities (Lambda execution roles, EC2 instance profiles) making cross-region API calls for legitimate data replication or failover workflows

Elastic Security (EQL)

eql

any where
  event.dataset in ("aws.cloudtrail", "azure.activitylogs")
  and event.outcome == "success"
  and (
    event.action in (
      "RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
      "CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
      "CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
      "CreateKey", "CreateStackInstances"
    )
    or event.action in (
      "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE",
      "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/WRITE",
      "MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/WRITE",
      "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
      "MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE",
      "MICROSOFT.SQL/SERVERS/WRITE",
      "MICROSOFT.WEB/SITES/WRITE",
      "MICROSOFT.KEYVAULT/VAULTS/WRITE",
      "MICROSOFT.RESOURCES/RESOURCEGROUPS/WRITE"
    )
  )
  and cloud.region != null
  and not cloud.region in (
    "us-east-1", "us-west-2", "eu-west-1", "eu-central-1",
    "eastus", "eastus2", "westus", "westus2",
    "westeurope", "northeurope", "uksouth", "ukwest"
  )

Detects successful cloud resource creation operations in AWS or Azure regions that fall outside the organization's approved/monitored region list, using ECS-normalized cloud.region field populated by the Elastic AWS and Azure integrations. Update the approved region list in the 'not cloud.region in (...)' clause to match your environment. For AWS, cloud.region is mapped from awsRegion; for Azure, it is extracted from the resource location in activity log properties.

medium severity medium confidence

Data Sources

AWS CloudTrail via Elastic Agent AWS integration (aws.cloudtrail) Azure Activity Logs via Elastic Agent Azure integration (azure.activitylogs)

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-*

False Positives

Authorized cloud infrastructure expansion projects where new geographic regions are being formally onboarded — coordinate with cloud platform teams before tuning.
Disaster recovery or business continuity testing that deliberately provisions resources in alternate regions to validate failover runbooks.
Third-party managed service providers or SaaS platforms (e.g., Snowflake, Databricks) provisioning resources in regions chosen for data residency or performance that differ from primary regions monitored by the team.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Actor,
  QIDNAME(qid) AS EventAction,
  "AWS Region" AS CloudRegion,
  "Account ID" AS AccountId,
  "User Identity Type" AS ActorType,
  "User Identity ARN" AS ActorARN,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Amazon AWS CloudTrail%'
  AND QIDNAME(qid) IN (
    'RunInstances', 'CreateBucket', 'CreateCluster', 'CreateFunction',
    'CreateDBInstance', 'CreateDBCluster', 'CreateVolume', 'CreateVpc',
    'CreateUser', 'CreateAccessKey', 'CreateRole', 'CreateSecret',
    'CreateKey', 'CreateStackInstances'
  )
  AND ("Error Code" IS NULL OR "Error Code" = '')
  AND "AWS Region" NOT IN (
    'us-east-1', 'us-west-2', 'eu-west-1', 'eu-central-1'
  )
  AND "AWS Region" IS NOT NULL
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000

Detects AWS CloudTrail resource creation events originating from regions outside the approved list, querying QRadar's normalized events table via the Amazon AWS CloudTrail DSM. The fields 'AWS Region', 'Account ID', 'User Identity Type', and 'User Identity ARN' are Custom Event Properties (CEPs) created by the CloudTrail DSM parser — verify these property names match your QRadar deployment using the Log Activity viewer. Extend with Azure Activity Log DSM entries using a UNION or separate rule targeting LOGSOURCETYPENAME ILIKE '%Microsoft Azure%' with equivalent operation name filters.

medium severity medium confidence

Data Sources

Amazon AWS CloudTrail DSM (QRadar built-in) Microsoft Azure Activity DSM (QRadar built-in)

Required Tables

events

False Positives

Cloud automation pipelines (Terraform, CloudFormation, Pulumi) provisioning resources during infrastructure-as-code deployments that span regions not yet added to the approved list.
Engineering teams running performance or latency benchmarks in alternate regions during pre-production testing phases.
Mergers and acquisitions where the acquired entity's cloud footprint spans regions outside the parent organization's monitored set — these will fire until the approved region list is updated.

Sumo Logic CSE

sql

// CONFIGURE: Update _sourceCategory to match your CloudTrail log source path
_sourceCategory=aws/cloudtrail
| json field=_raw "eventName" as eventName
| json field=_raw "awsRegion" as awsRegion
| json field=_raw "errorCode" as errorCode nodrop
| json field=_raw "userIdentity.type" as actorType nodrop
| json field=_raw "userIdentity.arn" as actorArn nodrop
| json field=_raw "userIdentity.userName" as actorUserName nodrop
| json field=_raw "sourceIPAddress" as sourceIP nodrop
| json field=_raw "userAgent" as userAgent nodrop
| json field=_raw "recipientAccountId" as accountId nodrop
| where eventName in ("RunInstances","CreateBucket","CreateCluster","CreateFunction",
    "CreateDBInstance","CreateDBCluster","CreateVolume","CreateVpc",
    "CreateUser","CreateAccessKey","CreateRole","CreateSecret",
    "CreateKey","CreateStackInstances")
| where isNull(errorCode) or isEmpty(errorCode)
| where !(awsRegion in ("us-east-1","us-west-2","eu-west-1","eu-central-1"))
| if(!isNull(actorArn), actorArn, actorUserName) as actor
| if(actorType == "Root", 1, 0) as isRootAccount
| if(eventName in ("CreateUser","CreateAccessKey","CreateRole"), 1, 0) as isIAMOperation
| if(eventName == "RunInstances", 1, 0) as isComputeCreate
| 2 + (isRootAccount * 3) + (isIAMOperation * 3) + (isComputeCreate * 2) as riskScore
| fields _messageTime, awsRegion, eventName, actor, actorType, sourceIP, userAgent, accountId, riskScore
| sort by riskScore, _messageTime

Detects AWS CloudTrail resource creation events in regions outside the approved list with risk scoring weighted toward IAM operations (CreateUser, CreateAccessKey, CreateRole), root account usage, and compute provisioning (RunInstances). Includes Azure Activity Log variant by adding OR clause on _sourceCategory for Azure logs and parsing operationName and resourceLocation fields. Update the _sourceCategory expression and approved region list to match your ingestion configuration.

medium severity medium confidence

Data Sources

AWS CloudTrail (Sumo Logic S3 source or HTTP source) Azure Activity Logs (Sumo Logic Azure Monitor source)

Required Tables

Sumo Logic log index (configured _sourceCategory)

False Positives

Approved cloud workload migrations where resources are being relocated to a new region as part of an authorized project — check change management records before escalating.
Security tooling deployments (e.g., bootstrapping GuardDuty, Security Hub, or Defender for Cloud in a previously uncovered region) which themselves trigger resource creation events in that region.
Development or sandbox accounts operated by engineering teams who routinely experiment in various regions outside the production-approved set.

Google Chronicle / SecOps

yaral

rule t1535_unused_cloud_regions {
  meta:
    author = "df00tech"
    description = "Detects cloud resource creation in unapproved geographic regions (T1535 - Unused/Unsupported Cloud Regions)"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1535"
    false_positives = "Region expansion projects, DR testing, third-party MSP provisioning"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_RESOURCE_CREATION"
    (
      $e.metadata.product_name = "AWS CloudTrail" or
      $e.metadata.vendor_name = "Microsoft"
    )
    re.regex(
      $e.metadata.product_event_type,
      `RunInstances|CreateBucket|CreateCluster|CreateFunction|CreateDBInstance|CreateDBCluster|CreateVolume|CreateVpc|CreateUser|CreateAccessKey|CreateRole|CreateSecret|CreateKey|CreateStackInstances|VIRTUALMACHINES/WRITE|STORAGEACCOUNTS/WRITE|MANAGEDCLUSTERS/WRITE|VIRTUALNETWORKS/WRITE|SQL/SERVERS/WRITE|KEYVAULT/VAULTS/WRITE`
    )
    $e.target.cloud.availability_zone != ""
    not re.regex(
      $e.target.cloud.availability_zone,
      `^(us-east-1|us-west-2|eu-west-1|eu-central-1|eastus|eastus2|westus|westus2|westeurope|northeurope|uksouth|ukwest)$`
    )
    $e.security_result.action = "ALLOW"

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting cloud resource creation in unapproved regions via UDM event type USER_RESOURCE_CREATION. The rule matches against metadata.product_event_type for both AWS CloudTrail API call names and Azure Resource Manager operation names. Region is evaluated against target.cloud.availability_zone, which Chronicle populates from the awsRegion field in CloudTrail events and the resource location in Azure Activity logs — verify field mapping in your Chronicle environment using the UDM Event viewer. Update the approved region regex in the 'not re.regex' clause to match your organization's policy.

medium severity medium confidence

Data Sources

AWS CloudTrail (Chronicle ingestion via S3 or direct feed) Azure Activity Logs (Chronicle Azure feed)

Required Tables

UDM Events (USER_RESOURCE_CREATION category)

False Positives

Automated infrastructure provisioning tools (Terraform Enterprise, AWS Control Tower) creating resources during sanctioned region onboarding workflows.
Cloud security posture tools that provision monitoring agents or configuration rules (e.g., AWS Config recorders, Security Hub enablement) across all regions including unapproved ones.
Multi-region active-active architecture deployments where engineering teams provision resources across a wider region set than what security monitoring currently covers.

CrowdStrike LogScale (CQL)

cql

// Requires CloudTrail logs ingested into LogScale or Falcon CSPM cloud audit events
// CONFIGURE: Update excluded regions to match your approved set
#repo=cloudtrail
| eventName in values=[
    "RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
    "CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
    "CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
    "CreateKey", "CreateStackInstances"
  ]
| not errorCode=*
| awsRegion != "us-east-1"
| awsRegion != "us-west-2"
| awsRegion != "eu-west-1"
| awsRegion != "eu-central-1"
| awsRegion != ""
| case {
    eventName in ["CreateUser", "CreateAccessKey", "CreateRole"] | riskScore := 5 ;
    eventName = "RunInstances" | riskScore := 4 ;
    * | riskScore := 2
  }
| userIdentityType = "Root" | rootFlag := "ROOT_ACCOUNT" ; * | rootFlag := ""
| groupBy(
    [awsRegion, eventName, userIdentityArn, userIdentityType, sourceIPAddress, recipientAccountId, rootFlag],
    function=[
      max(riskScore, as=maxRiskScore),
      count(as=eventCount),
      min(@timestamp, as=firstSeen),
      max(@timestamp, as=lastSeen)
    ]
  )
| sort(field=maxRiskScore, order=desc)

LogScale CQL query detecting AWS resource creation events in unapproved regions, aggregated by region, operation, and actor identity with risk scoring. Designed for environments ingesting AWS CloudTrail logs directly into LogScale (Falcon LogScale SIEM). For Falcon CSPM-sourced cloud audit events, replace '#repo=cloudtrail' with the appropriate Falcon event stream repo and adjust field names (e.g., CloudAccountRegion, APIOperation) to match Falcon CSPM UDM field mapping. Update the approved region exclusion filters to match your organization's policy. The groupBy aggregation surfaces repeated activity patterns across the lookback window, not just point-in-time events.

medium severity medium confidence

Data Sources

AWS CloudTrail logs ingested into CrowdStrike LogScale Falcon CSPM cloud audit event stream (alternate field mapping required)

Required Tables

LogScale cloudtrail repository (or equivalent configured repo name)

False Positives

CI/CD pipelines with cross-region deployment stages that create resources in non-primary regions as part of blue-green or canary deployment strategies.
Cloud cost optimization tooling (e.g., Spot.io, CloudHealth) that automatically provisions or migrates workloads to lower-cost regions outside the approved list.
Incident response or forensics activities where responders deliberately spin up isolated environments in alternate regions to contain or investigate an incident without affecting production.

Sigma rule & cross-platform mapping

The detection logic for Unused/Unsupported Cloud Regions (T1535) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1535 Sigma rules on detection.fyi

Platform-specific guides for T1535

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Unused/Unsupported Cloud Regions

What is T1535 Unused/Unsupported Cloud Regions?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1535

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1535 Unused/Unsupported Cloud Regions?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1535

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox