Detect Unused/Unsupported Cloud Regions in Google Chronicle
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1535 Unused/Unsupported Cloud Regions
- Canonical reference
- https://attack.mitre.org/techniques/T1535/
YARA-L Detection Query
rule t1535_unused_cloud_regions {
meta:
author = "df00tech"
description = "Detects cloud resource creation in unapproved geographic regions (T1535 - Unused/Unsupported Cloud Regions)"
severity = "MEDIUM"
priority = "MEDIUM"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1535"
false_positives = "Region expansion projects, DR testing, third-party MSP provisioning"
version = "1.0"
events:
$e.metadata.event_type = "USER_RESOURCE_CREATION"
(
$e.metadata.product_name = "AWS CloudTrail" or
$e.metadata.vendor_name = "Microsoft"
)
re.regex(
$e.metadata.product_event_type,
`RunInstances|CreateBucket|CreateCluster|CreateFunction|CreateDBInstance|CreateDBCluster|CreateVolume|CreateVpc|CreateUser|CreateAccessKey|CreateRole|CreateSecret|CreateKey|CreateStackInstances|VIRTUALMACHINES/WRITE|STORAGEACCOUNTS/WRITE|MANAGEDCLUSTERS/WRITE|VIRTUALNETWORKS/WRITE|SQL/SERVERS/WRITE|KEYVAULT/VAULTS/WRITE`
)
$e.target.cloud.availability_zone != ""
not re.regex(
$e.target.cloud.availability_zone,
`^(us-east-1|us-west-2|eu-west-1|eu-central-1|eastus|eastus2|westus|westus2|westeurope|northeurope|uksouth|ukwest)$`
)
$e.security_result.action = "ALLOW"
condition:
$e
}Chronicle YARA-L 2.0 rule detecting cloud resource creation in unapproved regions via UDM event type USER_RESOURCE_CREATION. The rule matches against metadata.product_event_type for both AWS CloudTrail API call names and Azure Resource Manager operation names. Region is evaluated against target.cloud.availability_zone, which Chronicle populates from the awsRegion field in CloudTrail events and the resource location in Azure Activity logs — verify field mapping in your Chronicle environment using the UDM Event viewer. Update the approved region regex in the 'not re.regex' clause to match your organization's policy.
Data Sources
Required Tables
False Positives & Tuning
- Automated infrastructure provisioning tools (Terraform Enterprise, AWS Control Tower) creating resources during sanctioned region onboarding workflows.
- Cloud security posture tools that provision monitoring agents or configuration rules (e.g., AWS Config recorders, Security Hub enablement) across all regions including unapproved ones.
- Multi-region active-active architecture deployments where engineering teams provision resources across a wider region set than what security monitoring currently covers.
Other platforms for T1535
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
- Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
- Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
- Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.
References (8)
- https://attack.mitre.org/techniques/T1535/
- https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1535/T1535.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.