Detect Unused/Unsupported Cloud Regions in Microsoft Sentinel
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1535 Unused/Unsupported Cloud Regions
- Canonical reference
- https://attack.mitre.org/techniques/T1535/
KQL Detection Query
// CONFIGURE: Update these lists to match your organization's approved/actively monitored cloud regions
let ApprovedAzureRegions = dynamic(["eastus", "eastus2", "westus", "westus2", "westeurope", "northeurope", "uksouth", "ukwest"]);
let ApprovedAWSRegions = dynamic(["us-east-1", "us-west-2", "eu-west-1", "eu-central-1"]);
//
// Azure: Detect successful resource creation in unapproved regions
let AzureUnusualRegion =
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue =~ "Succeeded"
| where OperationNameValue has_any (
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Sql/servers/write",
"Microsoft.Web/sites/write",
"Microsoft.KeyVault/vaults/write",
"Microsoft.Resources/resourceGroups/write"
)
| extend ResourceLocation = tolower(extract('"location":"([^"]+)"', 1, tostring(Properties)))
| where isnotempty(ResourceLocation)
| where ResourceLocation !in (ApprovedAzureRegions)
| project
TimeGenerated,
Caller,
CallerIpAddress,
OperationNameValue,
ResourceLocation,
ResourceGroup,
SubscriptionId,
CorrelationId,
CloudProvider = "Azure";
//
// AWS: Detect successful resource creation events in unapproved regions
let AWSUnusualRegion =
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where isempty(ErrorCode)
| where EventName in~ (
"RunInstances",
"CreateBucket",
"CreateCluster",
"CreateFunction",
"CreateDBInstance",
"CreateDBCluster",
"CreateVolume",
"CreateVpc",
"CreateUser",
"CreateAccessKey",
"CreateRole",
"CreateStackInstances",
"CreateSecret",
"CreateKey"
)
| where AWSRegion !in (ApprovedAWSRegions)
| project
TimeGenerated,
Caller = UserIdentityArn,
CallerIpAddress = SourceIpAddress,
OperationNameValue = EventName,
ResourceLocation = AWSRegion,
ResourceGroup = RecipientAccountId,
SubscriptionId = RecipientAccountId,
CorrelationId = EventTypeName,
CloudProvider = "AWS";
//
union AzureUnusualRegion, AWSUnusualRegion
| extend RiskIndicators = pack_array(
iff(CloudProvider == "AWS" and OperationNameValue in ("CreateUser", "CreateAccessKey", "CreateRole"), "IAM resource in unapproved region", ""),
iff(OperationNameValue =~ "RunInstances" or OperationNameValue has "virtualMachines/write", "Compute instance in unapproved region", ""),
iff(OperationNameValue =~ "CreateFunction", "Serverless function in unapproved region", "")
)
| extend RiskIndicators = array_strcat(array_slice(RiskIndicators, 0, array_length(RiskIndicators)), ", ")
| sort by TimeGenerated descDetects successful cloud resource creation events in geographic regions not included in the organization's approved/monitored region list. Covers Azure (via AzureActivity) and AWS (via AWSCloudTrail) for compute, storage, networking, database, IAM, and serverless resource provisioning. The approved region dynamic lists MUST be customized to match your actual cloud footprint before deployment. Special attention is given to IAM and compute resources, which are most commonly abused for cryptomining and C2 staging in dormant regions.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region list has not been updated
- Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking, compliance testing, or proof-of-concept work
- Infrastructure-as-code automation pipelines (Terraform, CDK, ARM templates) deploying resources to new regions as part of an approved rollout where the change management process did not include updating detection allowlists
- Third-party managed service providers, SaaS vendors, or cloud integrators creating resources on behalf of the organization in their operationally preferred regions
- Disaster recovery failover events where standby infrastructure is legitimately activated in secondary regions
Other platforms for T1535
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
- Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
- Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
- Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.
References (8)
- https://attack.mitre.org/techniques/T1535/
- https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1535/T1535.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.