T1666

Modify Cloud Resource Hierarchy

Defense Evasion Last updated:

This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense.

What is T1666 Modify Cloud Resource Hierarchy?

Modify Cloud Resource Hierarchy (T1666) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Modify Cloud Resource Hierarchy, covering the data sources and telemetry it touches: Azure Monitor, Microsoft Entra ID (Azure AD), Microsoft Defender for Cloud. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1666 Modify Cloud Resource Hierarchy
Canonical reference
https://attack.mitre.org/techniques/T1666/
Microsoft Sentinel / Defender
kusto 
let AzureHierarchyOps = AzureActivity
| where TimeGenerated > ago(1d)
| where OperationNameValue in~ (
    "MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/WRITE",
    "MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/DELETE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE",
    "MICROSOFT.BILLING/TRANSFERS/ACCEPT",
    "MICROSOFT.BILLING/TRANSFERS/INITIATE"
)
| extend CallerClaims = parse_json(Claims)
| extend UserPrincipalName = tostring(CallerClaims["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"])
| extend TenantId = tostring(CallerClaims["tid"])
| project
    TimeGenerated,
    Source = "AzureActivity",
    Operation = OperationNameValue,
    Status = ActivityStatus,
    CallerIpAddress,
    Caller,
    UserPrincipalName,
    SubscriptionId,
    ResourceGroup,
    ResourceId,
    TenantId;
let AzureAuditHierarchy = AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ (
    "Add subscription",
    "Delete subscription",
    "Update subscription",
    "Add management group",
    "Delete management group",
    "Move subscription to management group",
    "Remove subscription from management group"
)
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy))["user"]["userPrincipalName"])
| extend InitiatedByIP = tostring(parse_json(tostring(InitiatedBy))["user"]["ipAddress"])
| project
    TimeGenerated,
    Source = "AuditLogs",
    Operation = OperationName,
    Status = Result,
    CallerIpAddress = InitiatedByIP,
    Caller = InitiatedByUser,
    UserPrincipalName = InitiatedByUser,
    SubscriptionId = "",
    ResourceGroup = "",
    ResourceId = TargetResources,
    TenantId = TenantId;
union AzureHierarchyOps, AzureAuditHierarchy
| extend RiskScore = case(
    Operation has_any ("TRANSFERS", "Transfer"), 100,
    Operation has_any ("DELETE", "Delete"), 85,
    Operation has_any ("MANAGEMENTGROUPS/SUBSCRIPTIONS", "Remove subscription"), 80,
    Operation has_any ("SUBSCRIPTIONS/WRITE", "Add subscription"), 70,
    Operation has_any ("MANAGEMENTGROUPS/WRITE", "Add management group"), 65,
    60
)
| where RiskScore >= 65
| order by RiskScore desc, TimeGenerated desc

Detects modifications to Azure Management Group and Subscription hierarchy, including subscription creation/deletion, management group changes, subscription-to-management-group moves, and billing transfer operations indicative of subscription hijacking. Unions AzureActivity and AuditLogs to capture both ARM-level and Azure AD directory-level hierarchy changes.

critical severity high confidence

Data Sources

Azure Monitor Microsoft Entra ID (Azure AD) Microsoft Defender for Cloud

Required Tables

AzureActivity AuditLogs

False Positives

  • Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
  • Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
  • DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

Sigma rule & cross-platform mapping

The detection logic for Modify Cloud Resource Hierarchy (T1666) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1666 Sigma rules on detection.fyi

Platform-specific guides for T1666

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Organization Account Departure (LeaveOrganization)

    Expected signal: AWS CloudTrail event: eventName=LeaveOrganization, eventSource=organizations.amazonaws.com, userIdentity.accountId=<member-account-id>. No errorCode if permissions are correct.

  2. Test 2AWS Create New Organization Account

    Expected signal: AWS CloudTrail events: CreateAccount (async, requestParameters.accountName='AtomicTest-T1666') followed by CreateAccountResult with responseElements.createAccountStatus.state=SUCCEEDED.

  3. Test 3Azure Management Group Subscription Move

    Expected signal: AzureActivity records with OperationNameValue: MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE and MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE. Caller will be the authenticated principal's UPN.

Unlock Pro Content

Get the full detection package for T1666 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0005Defense Evasion

Related Techniques

T1578Modify Cloud Compute InfrastructureT1578.004Revert Cloud InstanceT1564.012File/Path ExclusionsT1098Account ManipulationT1078.004Cloud AccountsT1496Resource HijackingT1556.003Pluggable Authentication ModulesT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Defense Evasion

Popular Detections