AN1493: Analytic 1493
Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.
Analyst context for executives and security teams
This analytic matters because unexpected cloud compute creation or sudden resource spikes can turn into business problems quickly: cost overruns, capacity disruption, investigation workload, and evidence gaps if activity occurs in regions the organization does not monitor. For leaders, the key question is whether cloud governance and SOC visibility cover all enabled IaaS regions and compute types, including spot instances and legitimate VMs with abnormal usage.
Executive priority
Prioritize validation of IaaS regional monitoring, cloud resource inventory, and usage anomaly review. This behavior is especially relevant to cloud security, managed detection, incident response readiness, cost governance, and audit evidence because unmonitored regions or unused regions can create blind spots where unauthorized compute activity may not be noticed promptly.
Technical view
For SOC and cloud detection teams, validate whether telemetry can identify new instance creation in unused or unmonitored IaaS regions, bursts of compute-intensive jobs in spot instances, and sudden spikes in resource usage on otherwise legitimate VMs. Because the ATT&CK object provides no official detection logic and no relationship context, detections should be based on local baselines for approved regions, expected VM usage, known spot instance patterns, and authorized provisioning workflows.
Likely telemetry
- Cloud control-plane audit logs for instance creation events
- IaaS region and account or subscription inventory
- Compute resource utilization metrics for VMs
- Spot instance provisioning and job activity records
- Cloud billing, quota, and usage data
Detection direction
- Alert on instance creation in regions not approved, unused, or not covered by normal monitoring.
- Compare spot instance activity against expected job schedules, owners, and compute profiles.
- Baseline legitimate VM resource usage and investigate sudden spikes that do not align with approved workload changes.
- Correlate provisioning events with identity, change-management, and asset-inventory records to reduce false positives from authorized deployments.
- Check for monitoring blind spots: disabled regions, newly enabled regions, accounts or projects outside central logging, and telemetry not retained long enough for incident review.
Mitigation priorities
- Define and enforce approved IaaS regions and expected compute usage patterns.
- Ensure cloud audit logging, inventory, metrics, and billing visibility cover all enabled regions and accounts or projects.
- Restrict who can create instances or use spot capacity based on least privilege and approved workflows.
- Use quotas, budgets, and usage alerts to surface abnormal compute growth early.
- Document cloud monitoring coverage and region governance as compliance and incident-response evidence.
Analyst notes and limits
This is a detection analytic object for enterprise ATT&CK, platform IaaS, external ID AN1493. The supplied description focuses on unauthorized instance creation in unmonitored or unused regions and compute/resource spikes in spot instances or legitimate VMs. No tactics, relationships, aliases, labels, or official detection content were supplied, so local cloud architecture and baselines are required to operationalize it.
The source object is sparse and does not provide detection logic, data source mappings, tactics, mitigations, threat actors, campaigns, or examples. This take should be treated as defensive validation guidance, not evidence of active exploitation or confirmed coverage in any environment.
Analytic 1493
Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c5467fa025a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1493Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.