1. Home
  2. ATT&CK Techniques
  3. T1666 Modify Cloud Resource Hierarchy

T1666 Modify Cloud Resource Hierarchy

Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.

IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)

Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)

In AWS environments, adversaries with appropriate permissions in a given account may call the LeaveOrganization API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the CreateAccount API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1666 Modify Cloud Resource Hierarchy
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1666 Modify Cloud Resource Hierarchy
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1666 Modify Cloud Resource Hierarchy
      Comments
      This diagnostic statement provides protection from Modify Cloud Resource Hierarchy through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations for Cloud platforms and integrity checking can help protect against adversaries attempting to compromise and modify cloud configurations.
      References
        PR.AA-01.01 Identity and credential management Mitigates T1666 Modify Cloud Resource Hierarchy
        Comments
        This diagnostic statement protects against Modify Cloud Resource Hierarchy through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CM-03 Configuration Change Control mitigates T1666 Modify Cloud Resource Hierarchy
          Comments
          Monitoring and reviewing changes to the configuration of the IaaS environment (in this case, the cloud resource hierarchy) allows for the detection and reversal of unauthorized changes to prevent exploitation.
          References

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1666 Modify Cloud Resource Hierarchy

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            identity_and_access_management Identity and Access Management technique_scores T1666 Modify Cloud Resource Hierarchy
            Comments
            IAM can be configured to minimize permissions to users and limit users' ability to add, delete, or modify resource groups.
            References
            1. ['https://cloud.google.com/iam']