Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.
IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)
Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)
In AWS environments, adversaries with appropriate permissions in a given account may call the LeaveOrganization API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the CreateAccount API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| UEM-05 | Endpoint Management | mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control provides for the implementation of best practices for endpoint management. Securing resource groups and limiting permissions can help mitigate the risk of adversaries adding, deleting, or otherwise modifying hierarchical structures.
References
|
| IAM-05 | Least Privilege | mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For this technique, in terms of mitigation, limit permissions to add, delete, or modify resource groups to only those required.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Securing resource groups and limiting permissions can help mitigate the risk of adversaries adding, deleting, or otherwise modifying hierarchical structures.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. Secure deployment templates should restrict the ability to openly changes to resource groups, such as creating new resource groups which may mitigate the abuse of this technique.
References
|