T1666 Modify Cloud Resource Hierarchy Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AzureHierarchyOps = AzureActivity
| where TimeGenerated > ago(1d)
| where OperationNameValue in~ (
    "MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/WRITE",
    "MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/DELETE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE",
    "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE",
    "MICROSOFT.BILLING/TRANSFERS/ACCEPT",
    "MICROSOFT.BILLING/TRANSFERS/INITIATE"
)
| extend CallerClaims = parse_json(Claims)
| extend UserPrincipalName = tostring(CallerClaims["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"])
| extend TenantId = tostring(CallerClaims["tid"])
| project
    TimeGenerated,
    Source = "AzureActivity",
    Operation = OperationNameValue,
    Status = ActivityStatus,
    CallerIpAddress,
    Caller,
    UserPrincipalName,
    SubscriptionId,
    ResourceGroup,
    ResourceId,
    TenantId;
let AzureAuditHierarchy = AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ (
    "Add subscription",
    "Delete subscription",
    "Update subscription",
    "Add management group",
    "Delete management group",
    "Move subscription to management group",
    "Remove subscription from management group"
)
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy))["user"]["userPrincipalName"])
| extend InitiatedByIP = tostring(parse_json(tostring(InitiatedBy))["user"]["ipAddress"])
| project
    TimeGenerated,
    Source = "AuditLogs",
    Operation = OperationName,
    Status = Result,
    CallerIpAddress = InitiatedByIP,
    Caller = InitiatedByUser,
    UserPrincipalName = InitiatedByUser,
    SubscriptionId = "",
    ResourceGroup = "",
    ResourceId = TargetResources,
    TenantId = TenantId;
union AzureHierarchyOps, AzureAuditHierarchy
| extend RiskScore = case(
    Operation has_any ("TRANSFERS", "Transfer"), 100,
    Operation has_any ("DELETE", "Delete"), 85,
    Operation has_any ("MANAGEMENTGROUPS/SUBSCRIPTIONS", "Remove subscription"), 80,
    Operation has_any ("SUBSCRIPTIONS/WRITE", "Add subscription"), 70,
    Operation has_any ("MANAGEMENTGROUPS/WRITE", "Add management group"), 65,
    60
)
| where RiskScore >= 65
| order by RiskScore desc, TimeGenerated desc

critical severity high confidence

Data Sources

Azure Monitor Microsoft Entra ID (Azure AD) Microsoft Defender for Cloud

Required Tables

AzureActivity AuditLogs

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

Splunk

spl

index=* sourcetype="aws:cloudtrail"
| search eventName IN (
    "LeaveOrganization",
    "CreateAccount",
    "MoveAccount",
    "InviteAccountToOrganization",
    "RemoveAccountFromOrganization",
    "AcceptHandshake",
    "DeclineHandshake",
    "DeleteOrganizationalUnit",
    "CreateOrganizationalUnit",
    "DeleteOrganization",
    "DetachPolicy",
    "DisablePolicyType"
)
| eval risk_score=case(
    eventName="LeaveOrganization", 100,
    eventName="RemoveAccountFromOrganization", 95,
    eventName="DeleteOrganization", 100,
    eventName="DisablePolicyType", 90,
    eventName="DetachPolicy", 80,
    eventName="CreateAccount", 70,
    eventName="DeleteOrganizationalUnit", 75,
    eventName="AcceptHandshake", 60,
    eventName="MoveAccount", 55,
    true(), 50
)
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', 'userIdentity.principalId', "unknown")
| eval assumed_role=if(userIdentity.type="AssumedRole", "true", "false")
| eval error_present=if(isnotnull(errorCode), errorCode." - ".errorMessage, "none")
| eval target_account=coalesce('requestParameters.accountId', 'requestParameters.targetId', "N/A")
| where risk_score >= 55
| table _time, eventName, actor, assumed_role, sourceIPAddress, awsRegion, target_account, risk_score, error_present, userAgent
| sort -risk_score, -_time

critical severity high confidence

Data Sources

AWS CloudTrail

Required Sourcetypes

aws:cloudtrail

False Positives

Cloud platform engineering teams legitimately creating new AWS accounts within an organization for new environments (dev, staging, prod) via approved IaC pipelines
AWS Organizations administrators reorganizing Organizational Units (OUs) or moving accounts between OUs as part of planned restructuring
Authorized billing administrators disabling specific SCP policy types in non-production OUs for testing purposes

Elastic Security (EQL)

eql

any where event.dataset : "azure.*" and (
  event.action : ("Add*", "Update*", "Delete*", "Consent*") and
  not user.name : "service-*"
) or (
  event.dataset == "azure.signinlogs" and
  event.outcome == "success" and
  source.as.organization.name : ("Tor*", "VPN*")
)

critical severity high confidence

Data Sources

Azure Active Directory Elastic Azure Integration

Required Tables

logs-azure.auditlogs-* logs-azure.signinlogs-*

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS UserPrincipalName,
    sourceip AS SourceIP,
    "EventName" AS Operation,
    CASE
        WHEN "EventName" ILIKE '%delete%' OR "EventName" ILIKE '%remove%' THEN 85
        WHEN "EventName" ILIKE '%add%' OR "EventName" ILIKE '%create%' THEN 70
        WHEN "EventName" ILIKE '%update%' THEN 65
        ELSE 55
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure', 'Azure Active Directory Audit Log')
    AND ("EventName" ILIKE '%subscription%'
        OR "EventName" ILIKE '%consent%'
        OR "EventName" ILIKE '%permission%'
        OR "EventName" ILIKE '%role%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

Sumo Logic CSE

sql

_sourceCategory=azure/audit OR _sourceCategory=azure/signin
| json auto
| where operation_name matches /(add|delete|update|consent|create)/i
| where !(initiated_by_user matches /service-/) 
| if(result_reason matches /fail/i, "Failed", "Success") as result
| if(operation_name matches /delete/i, 85,
    if(operation_name matches /consent/i, 80,
    if(operation_name matches /(add|create)/i, 70, 55))) as risk_score
| where risk_score >= 70
| count by initiated_by_user, operation_name, target_display_name, risk_score, source_ip
| sort - risk_score

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=azure/audit OR _sourceCategory=azure/signin

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

Google Chronicle / SecOps

yaral

rule detection_t1666 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Modify Cloud Resource Hierarchy cloud activity - T1666"
    severity = "HIGH"
    mitre_attack = "T1666"
    reference = "https://attack.mitre.org/techniques/T1666/"

  events:
    $e.metadata.event_type = "USER_CHANGE"
    $e.principal.user.userid = $user
    $e.principal.ip = $source_ip
    $e.target.resource.name = $resource
    (
      re.regex($e.metadata.product_event_type, `(?i)(add|delete|consent|update|create)`) and
      not re.regex($e.principal.user.userid, `(?i)(service-|automation-|pipeline-)`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Azure AD Microsoft 365

Required Tables

USER_CHANGE RESOURCE_CREATION

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "UserActivityAuditEvent"
| EventName = /(?i)(add|delete|consent|update|create)/
| UserName != /(?i)(service-|automation-|pipeline-)/
| case {
    EventName = /(?i)delete/ | RiskScore := "High" ;
    EventName = /(?i)consent/ | RiskScore := "High" ;
    EventName = /(?i)(add|create)/ | RiskScore := "Medium" ;
    * | RiskScore := "Low"
}
| RiskScore != "Low"
| table([UserName, EventName, TargetObjectId, SourceIPAddress, RiskScore, @timestamp])
| sort(@timestamp, order=desc, limit=100)

critical severity high confidence

Data Sources

CrowdStrike Falcon Identity Protection

Required Tables

UserActivityAuditEvent AuthActivityAuditEvent

False Positives

Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement

Modify Cloud Resource Hierarchy

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections