1. Home
  2. ATT&CK Techniques
  3. T1535 Unused/Unsupported Cloud Regions

T1535 Unused/Unsupported Cloud Regions Mappings

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.(Citation: AWS Region Service Table)

An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
SC-23 Session Authenticity Protects T1535 Unused/Unsupported Cloud Regions
azure_sentinel Azure Sentinel technique_scores T1535 Unused/Unsupported Cloud Regions
Comments
The Azure Sentinel Analytics "Suspicious Resource deployment" query can identify adversary attempts to maintain persistence or evade defenses by leveraging unused and/or unmonitored resources.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_policy Azure Policy technique_scores T1535 Unused/Unsupported Cloud Regions
Comments
This control may provide recommendations to restrict the allowed locations your organization can specify when deploying resources or creating resource groups.
References
  1. https://docs.microsoft.com/en-us/azure/governance/policy/overview
  2. https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
cloud_app_security_policies Cloud App Security Policies technique_scores T1535 Unused/Unsupported Cloud Regions
Comments
This control can detect unusual region and activity for cloud resources (preview feature as of this writing). Relevant alert is "Suspicious creation activity for cloud region".
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts