Detect Unused/Unsupported Cloud Regions in Sumo Logic CSE
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1535 Unused/Unsupported Cloud Regions
- Canonical reference
- https://attack.mitre.org/techniques/T1535/
Sumo Detection Query
// CONFIGURE: Update _sourceCategory to match your CloudTrail log source path
_sourceCategory=aws/cloudtrail
| json field=_raw "eventName" as eventName
| json field=_raw "awsRegion" as awsRegion
| json field=_raw "errorCode" as errorCode nodrop
| json field=_raw "userIdentity.type" as actorType nodrop
| json field=_raw "userIdentity.arn" as actorArn nodrop
| json field=_raw "userIdentity.userName" as actorUserName nodrop
| json field=_raw "sourceIPAddress" as sourceIP nodrop
| json field=_raw "userAgent" as userAgent nodrop
| json field=_raw "recipientAccountId" as accountId nodrop
| where eventName in ("RunInstances","CreateBucket","CreateCluster","CreateFunction",
"CreateDBInstance","CreateDBCluster","CreateVolume","CreateVpc",
"CreateUser","CreateAccessKey","CreateRole","CreateSecret",
"CreateKey","CreateStackInstances")
| where isNull(errorCode) or isEmpty(errorCode)
| where !(awsRegion in ("us-east-1","us-west-2","eu-west-1","eu-central-1"))
| if(!isNull(actorArn), actorArn, actorUserName) as actor
| if(actorType == "Root", 1, 0) as isRootAccount
| if(eventName in ("CreateUser","CreateAccessKey","CreateRole"), 1, 0) as isIAMOperation
| if(eventName == "RunInstances", 1, 0) as isComputeCreate
| 2 + (isRootAccount * 3) + (isIAMOperation * 3) + (isComputeCreate * 2) as riskScore
| fields _messageTime, awsRegion, eventName, actor, actorType, sourceIP, userAgent, accountId, riskScore
| sort by riskScore, _messageTimeDetects AWS CloudTrail resource creation events in regions outside the approved list with risk scoring weighted toward IAM operations (CreateUser, CreateAccessKey, CreateRole), root account usage, and compute provisioning (RunInstances). Includes Azure Activity Log variant by adding OR clause on _sourceCategory for Azure logs and parsing operationName and resourceLocation fields. Update the _sourceCategory expression and approved region list to match your ingestion configuration.
Data Sources
Required Tables
False Positives & Tuning
- Approved cloud workload migrations where resources are being relocated to a new region as part of an authorized project — check change management records before escalating.
- Security tooling deployments (e.g., bootstrapping GuardDuty, Security Hub, or Defender for Cloud in a previously uncovered region) which themselves trigger resource creation events in that region.
- Development or sandbox accounts operated by engineering teams who routinely experiment in various regions outside the production-approved set.
Other platforms for T1535
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS EC2 Instance Launch in Unused Region
Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.
- Test 2AWS S3 Bucket Creation in Unused Region
Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.
- Test 3AWS IAM Access Key Creation via Unused Region API Endpoint
Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.
- Test 4Azure Resource Group Creation in Unused Region
Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.
References (8)
- https://attack.mitre.org/techniques/T1535/
- https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1535/T1535.md
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Unlock Pro Content
Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.