DET0247: Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)
This detection strategy matters because adversaries with access to cloud infrastructure accounts may move activity into IaaS regions the organization does...
Analyst context for executives and security teams
This detection strategy matters because adversaries with access to cloud infrastructure accounts may move activity into IaaS regions the organization does not normally use or monitor. For leaders, the key issue is not just cloud geography; it is whether cloud governance, SOC visibility, and incident response cover the full provider footprint rather than only the regions where production workloads are expected.
Executive priority
Prioritize this as a cloud security and resilience validation item: confirm the business has an authoritative list of approved or supported IaaS regions, evidence that unused regions are monitored or restricted, and an incident process for investigating unexpected regional activity. This can also support compliance readiness where region usage is tied to data residency, approved architecture, or cloud control evidence.
Technical view
The supplied ATT&CK relationship maps this detection strategy to T1535, Unused/Unsupported Cloud Regions, under the stealth tactic on IaaS. SOC and detection teams should validate whether cloud control-plane activity, resource creation, and infrastructure-management account activity are visible across all regions, including regions not normally used. Detection logic should compare observed regional activity against an approved-region baseline and prioritize events involving creation of cloud instances or other infrastructure in regions outside that baseline.
Likely telemetry
- Cloud control-plane audit events across all IaaS regions
- Cloud resource inventory or asset records grouped by region
- Identity and account activity for users or roles that manage cloud infrastructure
- Events showing creation or modification of cloud instances or related infrastructure
- Configuration or governance records defining approved, supported, or expected cloud regions
Detection direction
- Build or validate an approved-region baseline and alert on activity in unused or unsupported regions.
- Ensure detections query all available regions, not only production or commonly used regions.
- Tune for legitimate exceptions such as disaster recovery, performance testing, redundancy, or compliance-driven regional deployments.
- Correlate unexpected regional activity with infrastructure-management account usage, especially where account compromise is a concern.
- Review whether detection content can distinguish first-time or rare regional activity from routine multi-region operations.
Mitigation priorities
- Define and maintain an approved list of IaaS regions for each account, environment, or business unit.
- Restrict or govern use of unsupported regions where organizational policy and cloud controls allow.
- Require monitoring coverage for regions even when no workloads are expected there.
- Harden and monitor accounts used to manage cloud infrastructure, since the related technique notes access is usually obtained through compromised management accounts.
- Include unexpected regional resource creation in cloud incident response playbooks and compliance evidence reviews.
Analyst notes and limits
The official detection strategy object provides no description, detection text, tactics, or platforms of its own. The practical interpretation is based on its name and its ATT&CK relationship to T1535, which describes adversaries creating cloud instances in unused geographic service regions to evade detection, typically after compromising cloud infrastructure management accounts.
This take should be validated against the organization’s actual cloud providers, enabled regions, logging configuration, and approved architecture. The supplied ATT&CK data does not provide vendor-specific events, analytic logic, thresholds, mitigations, or evidence of active exploitation.
Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1535 | Unused/Unsupported Cloud Regions | This object detects Unused/Unsupported Cloud Regions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f8b667fbb683… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0247Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.