Detect Unused/Unsupported Cloud Regions in Elastic Security
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1535 Unused/Unsupported Cloud Regions
- Canonical reference
- https://attack.mitre.org/techniques/T1535/
Elastic Detection Query
any where
event.dataset in ("aws.cloudtrail", "azure.activitylogs")
and event.outcome == "success"
and (
event.action in (
"RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
"CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
"CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
"CreateKey", "CreateStackInstances"
)
or event.action in (
"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE",
"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/WRITE",
"MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
"MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE",
"MICROSOFT.SQL/SERVERS/WRITE",
"MICROSOFT.WEB/SITES/WRITE",
"MICROSOFT.KEYVAULT/VAULTS/WRITE",
"MICROSOFT.RESOURCES/RESOURCEGROUPS/WRITE"
)
)
and cloud.region != null
and not cloud.region in (
"us-east-1", "us-west-2", "eu-west-1", "eu-central-1",
"eastus", "eastus2", "westus", "westus2",
"westeurope", "northeurope", "uksouth", "ukwest"
)Detects successful cloud resource creation operations in AWS or Azure regions that fall outside the organization's approved/monitored region list, using ECS-normalized cloud.region field populated by the Elastic AWS and Azure integrations. Update the approved region list in the 'not cloud.region in (...)' clause to match your environment. For AWS, cloud.region is mapped from awsRegion; for Azure, it is extracted from the resource location in activity log properties.
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud infrastructure expansion projects where new geographic regions are being formally onboarded — coordinate with cloud platform teams before tuning.
- Disaster recovery or business continuity testing that deliberately provisions resources in alternate regions to validate failover runbooks.
- Third-party managed service providers or SaaS platforms (e.g., Snowflake, Databricks) provisioning resources in regions chosen for data residency or performance that differ from primary regions monitored by the team.
Other platforms for T1535
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
- Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
- Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
- Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.
References (8)
- https://attack.mitre.org/techniques/T1535/
- https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1535/T1535.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.