Detect Modify Cloud Resource Hierarchy in Microsoft Sentinel
This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1666 Modify Cloud Resource Hierarchy
- Canonical reference
- https://attack.mitre.org/techniques/T1666/
KQL Detection Query
let AzureHierarchyOps = AzureActivity
| where TimeGenerated > ago(1d)
| where OperationNameValue in~ (
"MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/WRITE",
"MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/DELETE",
"MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE",
"MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE",
"MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE",
"MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE",
"MICROSOFT.BILLING/TRANSFERS/ACCEPT",
"MICROSOFT.BILLING/TRANSFERS/INITIATE"
)
| extend CallerClaims = parse_json(Claims)
| extend UserPrincipalName = tostring(CallerClaims["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"])
| extend TenantId = tostring(CallerClaims["tid"])
| project
TimeGenerated,
Source = "AzureActivity",
Operation = OperationNameValue,
Status = ActivityStatus,
CallerIpAddress,
Caller,
UserPrincipalName,
SubscriptionId,
ResourceGroup,
ResourceId,
TenantId;
let AzureAuditHierarchy = AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ (
"Add subscription",
"Delete subscription",
"Update subscription",
"Add management group",
"Delete management group",
"Move subscription to management group",
"Remove subscription from management group"
)
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy))["user"]["userPrincipalName"])
| extend InitiatedByIP = tostring(parse_json(tostring(InitiatedBy))["user"]["ipAddress"])
| project
TimeGenerated,
Source = "AuditLogs",
Operation = OperationName,
Status = Result,
CallerIpAddress = InitiatedByIP,
Caller = InitiatedByUser,
UserPrincipalName = InitiatedByUser,
SubscriptionId = "",
ResourceGroup = "",
ResourceId = TargetResources,
TenantId = TenantId;
union AzureHierarchyOps, AzureAuditHierarchy
| extend RiskScore = case(
Operation has_any ("TRANSFERS", "Transfer"), 100,
Operation has_any ("DELETE", "Delete"), 85,
Operation has_any ("MANAGEMENTGROUPS/SUBSCRIPTIONS", "Remove subscription"), 80,
Operation has_any ("SUBSCRIPTIONS/WRITE", "Add subscription"), 70,
Operation has_any ("MANAGEMENTGROUPS/WRITE", "Add management group"), 65,
60
)
| where RiskScore >= 65
| order by RiskScore desc, TimeGenerated descDetects modifications to Azure Management Group and Subscription hierarchy, including subscription creation/deletion, management group changes, subscription-to-management-group moves, and billing transfer operations indicative of subscription hijacking. Unions AzureActivity and AuditLogs to capture both ARM-level and Azure AD directory-level hierarchy changes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
- Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
- DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement
Other platforms for T1666
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Organization Account Departure (LeaveOrganization)
Expected signal: AWS CloudTrail event: eventName=LeaveOrganization, eventSource=organizations.amazonaws.com, userIdentity.accountId=<member-account-id>. No errorCode if permissions are correct.
- Test 2AWS Create New Organization Account
Expected signal: AWS CloudTrail events: CreateAccount (async, requestParameters.accountName='AtomicTest-T1666') followed by CreateAccountResult with responseElements.createAccountStatus.state=SUCCEEDED.
- Test 3Azure Management Group Subscription Move
Expected signal: AzureActivity records with OperationNameValue: MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE and MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE. Caller will be the authenticated principal's UPN.
References (6)
- https://attack.mitre.org/techniques/T1666/
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-attacks-enable-intelligence-collection-at-high-value-targets/
- https://techcommunity.microsoft.com/t5/azure-governance-and-management/protect-your-azure-resources-from-subscription-hijacking/ba-p/3717968
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-in-threat-detection.pdf
- https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html
- https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Unlock Pro Content
Get the full detection package for T1666 including response playbook, investigation guide, and atomic red team tests.