ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary




这种行为的变体利用了跨云区域的功能差异。攻击者可以利用不支持高级检测服务的区域,以避免检测其活动。例如,并非在每个区域都支持AWS GuardDuty。

恶意使用未使用的AWS区域的一个示例是通过资源劫持 (T1496)来开采加密货币,随着时间的推移,这可能使组织花费大量金钱,具体取决于所使用的处理能力。

Unused/Unsupported Cloud Regions

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.

An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking (T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.


ID编号: T1535

策略: 防御闪避

平台: AWS,GCP,Azure


数据源: Stackdriver日志,Azure活动日志,AWS CloudTrail日志


缓解 描述
软件配置 (M1054) 云服务提供商可以允许客户停用未使用的区域。
Mitigation Description
Software Configuration (M1054) Cloud service providers may allow customers to deactivate unused regions.



Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.