T1666: Modify Cloud Resource Hierarchy — MITRE ATT&CK Technique

Description

Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.

IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)

Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)

In AWS environments, adversaries with appropriate permissions in a given account may call the LeaveOrganization API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the CreateAccount API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)

Platforms

IaaS

Mitigations (3)

Software ConfigurationM1054

In Azure environments, consider setting a policy to block subscription transfers.(Citation: Azure Subscription Policies) In AWS environments, consider using Service Control Policies to prevent the use of the LeaveOrganization API call.(Citation: AWS RE:Inforce Threat Detection 2024)

User Account ManagementM1018

Limit permissions to add, delete, or modify resource groups to only those required.

AuditM1047

Periodically audit resource groups in the cloud management console to ensure that only expected items exist, especially close to the top of the hierarchy (e.g., AWS accounts and Azure subscriptions). Typically, top-level accounts (such as the AWS management account) should not contain any workloads or resources.(Citation: AWS Management Account Best Practices)

References

Frequently Asked Questions

What is T1666 (Modify Cloud Resource Hierarchy)?

T1666 is a MITRE ATT&CK technique named 'Modify Cloud Resource Hierarchy'. It belongs to the Defense Impairment tactic(s). Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources into a hierarchy, en...

How can T1666 be detected?

Detection of T1666 (Modify Cloud Resource Hierarchy) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1666?

There are 3 documented mitigations for T1666. Key mitigations include: Software Configuration, User Account Management, Audit.

Which threat groups use T1666?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.