Modify Cloud Resource Hierarchy

Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.

IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.[1][2]

Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.[3][4]

In AWS environments, adversaries with appropriate permissions in a given account may call the LeaveOrganization API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the CreateAccount API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.[5]

ID: T1666
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: IaaS
Version: 1.0
Created: 25 September 2024
Last Modified: 25 September 2024

Mitigations

ID Mitigation Description
M1047 Audit

Periodically audit resource groups in the cloud management console to ensure that only expected items exist, especially close to the top of the hierarchy (e.g., AWS accounts and Azure subscriptions). Typically, top-level accounts (such as the AWS management account) should not contain any workloads or resources.[6]

M1054 Software Configuration

In Azure environments, consider setting a policy to block subscription transfers.[7] In AWS environments, consider using Service Control Policies to prevent the use of the LeaveOrganization API call.[5]

M1018 User Account Management

Limit permissions to add, delete, or modify resource groups to only those required.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Modification

Monitor for changes to resource groups, such as creating new resource groups or leaving top-level management groups. In Azure environments, monitor for changes to subscriptions.[8] In AWS environments, monitor for API calls such as CreateAccount or LeaveOrganization.[5]

References