Detect Modify Cloud Resource Hierarchy in Google Chronicle
This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1666 Modify Cloud Resource Hierarchy
- Canonical reference
- https://attack.mitre.org/techniques/T1666/
YARA-L Detection Query
rule detection_t1666 {
meta:
author = "Argus Detection Platform"
description = "Detects Modify Cloud Resource Hierarchy cloud activity - T1666"
severity = "HIGH"
mitre_attack = "T1666"
reference = "https://attack.mitre.org/techniques/T1666/"
events:
$e.metadata.event_type = "USER_CHANGE"
$e.principal.user.userid = $user
$e.principal.ip = $source_ip
$e.target.resource.name = $resource
(
re.regex($e.metadata.product_event_type, `(?i)(add|delete|consent|update|create)`) and
not re.regex($e.principal.user.userid, `(?i)(service-|automation-|pipeline-)`)
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Modify Cloud Resource Hierarchy (T1666). Uses Chronicle UDM event model to identify modify cloud resource hierarchy behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
- Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
- DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement
Other platforms for T1666
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Organization Account Departure (LeaveOrganization)
Expected signal: AWS CloudTrail event: eventName=LeaveOrganization, eventSource=organizations.amazonaws.com, userIdentity.accountId=<member-account-id>. No errorCode if permissions are correct.
- Test 2AWS Create New Organization Account
Expected signal: AWS CloudTrail events: CreateAccount (async, requestParameters.accountName='AtomicTest-T1666') followed by CreateAccountResult with responseElements.createAccountStatus.state=SUCCEEDED.
- Test 3Azure Management Group Subscription Move
Expected signal: AzureActivity records with OperationNameValue: MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE and MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE. Caller will be the authenticated principal's UPN.
References (6)
- https://attack.mitre.org/techniques/T1666/
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-attacks-enable-intelligence-collection-at-high-value-targets/
- https://techcommunity.microsoft.com/t5/azure-governance-and-management/protect-your-azure-resources-from-subscription-hijacking/ba-p/3717968
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-in-threat-detection.pdf
- https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html
- https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Unlock Pro Content
Get the full detection package for T1666 including response playbook, investigation guide, and atomic red team tests.