MITRE ATT&CK Technique
Description
Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected. A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-09-04T14:35:04.617Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create cloud instances in unused geographic '
'service regions in order to evade detection. Access is '
'usually obtained through compromising accounts used to manage '
'cloud infrastructure.\n'
'\n'
'Cloud service providers often provide infrastructure '
'throughout the world in order to improve performance, provide '
'redundancy, and allow customers to meet compliance '
'requirements. Oftentimes, a customer will only use a subset '
'of the available regions and may not actively monitor other '
'regions. If an adversary creates resources in an unused '
'region, they may be able to operate undetected.\n'
'\n'
'A variation on this behavior takes advantage of differences '
'in functionality across cloud regions. An adversary could '
'utilize regions which do not support advanced detection '
'services in order to avoid detection of their activity.\n'
'\n'
'An example of adversary use of unused AWS regions is to mine '
'cryptocurrency through [Resource '
'Hijacking](https://attack.mitre.org/techniques/T1496), which '
'can cost organizations substantial amounts of money over time '
'depending on the processing power used.(Citation: CloudSploit '
'- Unused AWS Regions)',
'external_references': [{'external_id': 'T1535',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1535'},
{'description': 'CloudSploit. (2019, June 8). The '
'Danger of Unused AWS Regions. '
'Retrieved October 8, 2019.',
'source_name': 'CloudSploit - Unused AWS Regions',
'url': 'https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc'}],
'id': 'attack-pattern--59bd0dec-f8b2-4b9a-9141-37a1e6899761',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:49.853Z',
'name': 'Unused/Unsupported Cloud Regions',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Netskope'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.1'}