title: Modify Cloud Resource Hierarchy (T1666)
id: df00tech-t1666
status: experimental
description: "This detection identifies adversarial modification of cloud resource hierarchy structures in IaaS environments, including AWS Organizations and Azure Management Groups and Subscriptions. Adversaries with elevated privileges may create new AWS accounts within an organization to bypass Service Control Policies, call LeaveOrganization to sever an account from its parent organization and remove guardrails, transfer Azure subscriptions between tenants to abuse victim compute resources without generating logs on the victim tenant (subscription hijacking), or create new Azure subscriptions under compromised Global Administrator accounts. These actions enable adversaries to operate in environments with reduced policy enforcement, evade centralized detection controls, and consume cloud resources at the victim's expense."
references:
  - https://attack.mitre.org/techniques/T1666/
  - https://df00tech.com/detections/T1666
author: df00tech
date: 2026/03/20
tags:
  - attack.t1666
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate cloud governance teams reorganizing subscriptions into new management groups as part of planned landing zone migrations
  - Authorized finance or billing administrators transferring pay-as-you-go subscriptions between company-owned tenants during corporate restructuring
  - DevOps teams creating new Azure subscriptions for new product environments under an approved enterprise agreement
level: critical