1. Home
  2. ATT&CK Techniques
  3. T1535
Stealth

T1535: Unused/Unsupported Cloud Regions

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure....

T1535 · Technique ·1 platforms

Description

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.

An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)

Platforms

IaaS

Mitigations (1)

Software ConfigurationM1054

Cloud service providers may allow customers to deactivate unused regions.(Citation: CloudSploit - Unused AWS Regions)

References

Frequently Asked Questions

What is T1535 (Unused/Unsupported Cloud Regions)?

T1535 is a MITRE ATT&CK technique named 'Unused/Unsupported Cloud Regions'. It belongs to the Stealth tactic(s). Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure....

How can T1535 be detected?

Detection of T1535 (Unused/Unsupported Cloud Regions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1535?

There are 1 documented mitigations for T1535. Key mitigations include: Software Configuration.

Which threat groups use T1535?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.