Detect Modify Cloud Resource Hierarchy in Elastic Security
This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1666 Modify Cloud Resource Hierarchy
- Canonical reference
- https://attack.mitre.org/techniques/T1666/
Elastic Detection Query
any where event.dataset : "azure.*" and (
event.action : ("Add*", "Update*", "Delete*", "Consent*") and
not user.name : "service-*"
) or (
event.dataset == "azure.signinlogs" and
event.outcome == "success" and
source.as.organization.name : ("Tor*", "VPN*")
)Elastic EQL detection for Modify Cloud Resource Hierarchy (T1666). Identifies modify cloud resource hierarchy activity by correlating endpoint telemetry patterns consistent with known adversary techniques.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
- Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
- DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement
Other platforms for T1666
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Organization Account Departure (LeaveOrganization)
Expected signal: AWS CloudTrail event: eventName=LeaveOrganization, eventSource=organizations.amazonaws.com, userIdentity.accountId=<member-account-id>. No errorCode if permissions are correct.
- Test 2AWS Create New Organization Account
Expected signal: AWS CloudTrail events: CreateAccount (async, requestParameters.accountName='AtomicTest-T1666') followed by CreateAccountResult with responseElements.createAccountStatus.state=SUCCEEDED.
- Test 3Azure Management Group Subscription Move
Expected signal: AzureActivity records with OperationNameValue: MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE and MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE. Caller will be the authenticated principal's UPN.
References (6)
- https://attack.mitre.org/techniques/T1666/
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-attacks-enable-intelligence-collection-at-high-value-targets/
- https://techcommunity.microsoft.com/t5/azure-governance-and-management/protect-your-azure-resources-from-subscription-hijacking/ba-p/3717968
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-in-threat-detection.pdf
- https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html
- https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Unlock Pro Content
Get the full detection package for T1666 including response playbook, investigation guide, and atomic red team tests.