Skip to content

DET0155 Detection Strategy for Modify Cloud Resource Hierarchy

Item Value
ID DET0155
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1666 (Modify Cloud Resource Hierarchy)

Analytics

IaaS

AN0442

Monitor for unauthorized or unusual modifications to cloud resource hierarchies such as AWS Organizations or Azure Management Groups. Defenders may observe anomalous calls to APIs like LeaveOrganization, CreateAccount, MoveAccount, or Azure subscription transfers. Correlate account activity with administrative role assignments, tenant transfers, or new subscription creation that deviates from organizational baselines. Multi-event correlation should track role elevation followed by hierarchy modifications within a short time window.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) AWS:CloudTrail LeaveOrganization: API calls severing accounts from AWS Organizations
Mutable Elements
Field Description
TimeWindow Threshold for correlating role elevation with hierarchy modification events.
PrivilegedRoleList List of high-privilege roles (e.g., Global Administrator, OrganizationAccountAccessRole) used to monitor sensitive modifications.
SubscriptionTransferPatterns Patterns of subscription changes that may indicate hijacking or unauthorized tenant transfers.