title: Unused/Unsupported Cloud Regions (T1535)
id: df00tech-t1535
status: experimental
description: "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default."
references:
  - https://attack.mitre.org/techniques/T1535/
  - https://df00tech.com/detections/T1535
author: df00tech
date: 2026/04/20
tags:
  - attack.t1535
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region list has not been updated"
  - "Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking, compliance testing, or proof-of-concept work"
  - "Infrastructure-as-code automation pipelines (Terraform, CDK, ARM templates) deploying resources to new regions as part of an approved rollout where the change management process did not include updating detection allowlists"
  - "Third-party managed service providers, SaaS vendors, or cloud integrators creating resources on behalf of the organization in their operationally preferred regions"
  - Disaster recovery failover events where standby infrastructure is legitimately activated in secondary regions
level: high