Detect Modify Cloud Resource Hierarchy in Splunk
This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1666 Modify Cloud Resource Hierarchy
- Canonical reference
- https://attack.mitre.org/techniques/T1666/
SPL Detection Query
index=* sourcetype="aws:cloudtrail"
| search eventName IN (
"LeaveOrganization",
"CreateAccount",
"MoveAccount",
"InviteAccountToOrganization",
"RemoveAccountFromOrganization",
"AcceptHandshake",
"DeclineHandshake",
"DeleteOrganizationalUnit",
"CreateOrganizationalUnit",
"DeleteOrganization",
"DetachPolicy",
"DisablePolicyType"
)
| eval risk_score=case(
eventName="LeaveOrganization", 100,
eventName="RemoveAccountFromOrganization", 95,
eventName="DeleteOrganization", 100,
eventName="DisablePolicyType", 90,
eventName="DetachPolicy", 80,
eventName="CreateAccount", 70,
eventName="DeleteOrganizationalUnit", 75,
eventName="AcceptHandshake", 60,
eventName="MoveAccount", 55,
true(), 50
)
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', 'userIdentity.principalId', "unknown")
| eval assumed_role=if(userIdentity.type="AssumedRole", "true", "false")
| eval error_present=if(isnotnull(errorCode), errorCode." - ".errorMessage, "none")
| eval target_account=coalesce('requestParameters.accountId', 'requestParameters.targetId', "N/A")
| where risk_score >= 55
| table _time, eventName, actor, assumed_role, sourceIPAddress, awsRegion, target_account, risk_score, error_present, userAgent
| sort -risk_score, -_timeDetects AWS Organizations hierarchy modification events including LeaveOrganization (account severs from org to escape Service Control Policies), CreateAccount (new account added to org for policy bypass), RemoveAccountFromOrganization, and Service Control Policy detachment. Risk scoring prioritizes events that eliminate guardrails.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Cloud platform engineering teams legitimately creating new AWS accounts within an organization for new environments (dev, staging, prod) via approved IaC pipelines
- AWS Organizations administrators reorganizing Organizational Units (OUs) or moving accounts between OUs as part of planned restructuring
- Authorized billing administrators disabling specific SCP policy types in non-production OUs for testing purposes
Other platforms for T1666
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Organization Account Departure (LeaveOrganization)
Expected signal: AWS CloudTrail event: eventName=LeaveOrganization, eventSource=organizations.amazonaws.com, userIdentity.accountId=<member-account-id>. No errorCode if permissions are correct.
- Test 2AWS Create New Organization Account
Expected signal: AWS CloudTrail events: CreateAccount (async, requestParameters.accountName='AtomicTest-T1666') followed by CreateAccountResult with responseElements.createAccountStatus.state=SUCCEEDED.
- Test 3Azure Management Group Subscription Move
Expected signal: AzureActivity records with OperationNameValue: MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/WRITE and MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE. Caller will be the authenticated principal's UPN.
References (6)
- https://attack.mitre.org/techniques/T1666/
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-attacks-enable-intelligence-collection-at-high-value-targets/
- https://techcommunity.microsoft.com/t5/azure-governance-and-management/protect-your-azure-resources-from-subscription-hijacking/ba-p/3717968
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-in-threat-detection.pdf
- https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html
- https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Unlock Pro Content
Get the full detection package for T1666 including response playbook, investigation guide, and atomic red team tests.