Detect Unused/Unsupported Cloud Regions in CrowdStrike LogScale
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1535 Unused/Unsupported Cloud Regions
- Canonical reference
- https://attack.mitre.org/techniques/T1535/
LogScale Detection Query
// Requires CloudTrail logs ingested into LogScale or Falcon CSPM cloud audit events
// CONFIGURE: Update excluded regions to match your approved set
#repo=cloudtrail
| eventName in values=[
"RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
"CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
"CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
"CreateKey", "CreateStackInstances"
]
| not errorCode=*
| awsRegion != "us-east-1"
| awsRegion != "us-west-2"
| awsRegion != "eu-west-1"
| awsRegion != "eu-central-1"
| awsRegion != ""
| case {
eventName in ["CreateUser", "CreateAccessKey", "CreateRole"] | riskScore := 5 ;
eventName = "RunInstances" | riskScore := 4 ;
* | riskScore := 2
}
| userIdentityType = "Root" | rootFlag := "ROOT_ACCOUNT" ; * | rootFlag := ""
| groupBy(
[awsRegion, eventName, userIdentityArn, userIdentityType, sourceIPAddress, recipientAccountId, rootFlag],
function=[
max(riskScore, as=maxRiskScore),
count(as=eventCount),
min(@timestamp, as=firstSeen),
max(@timestamp, as=lastSeen)
]
)
| sort(field=maxRiskScore, order=desc)LogScale CQL query detecting AWS resource creation events in unapproved regions, aggregated by region, operation, and actor identity with risk scoring. Designed for environments ingesting AWS CloudTrail logs directly into LogScale (Falcon LogScale SIEM). For Falcon CSPM-sourced cloud audit events, replace '#repo=cloudtrail' with the appropriate Falcon event stream repo and adjust field names (e.g., CloudAccountRegion, APIOperation) to match Falcon CSPM UDM field mapping. Update the approved region exclusion filters to match your organization's policy. The groupBy aggregation surfaces repeated activity patterns across the lookback window, not just point-in-time events.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD pipelines with cross-region deployment stages that create resources in non-primary regions as part of blue-green or canary deployment strategies.
- Cloud cost optimization tooling (e.g., Spot.io, CloudHealth) that automatically provisions or migrates workloads to lower-cost regions outside the approved list.
- Incident response or forensics activities where responders deliberately spin up isolated environments in alternate regions to contain or investigate an incident without affecting production.
Other platforms for T1535
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
- Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
- Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
- Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.
References (8)
- https://attack.mitre.org/techniques/T1535/
- https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1535/T1535.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.