Last reviewed:
T1666 involves modifying the cloud resource hierarchy to compromise security boundaries, such as moving projects between folders or altering organisational structures to inherit insecure policies. This IaaS technique targets the structural control plane where identity and permission inheritance are managed. DCV addresses T1666 by monitoring hierarchy mutation events across AWS Organizations, Azure Management Groups, and GCP Resource Manager. High fidelity detection depends on observing unexpected movements at the organisational root. DCV provides the visibility required to catch these structural shifts before they enable broader persistence.
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.
IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.
Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.
In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.
Platforms: IaaS.
DCV does not currently ship a cloud-audit-log finding mapped directly to T1666. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables.
CloudSigma does not currently ship a stand-alone rule that fires on T1666 in isolation. Generate a starting-point rule from the CVE, vulnerability disclosure, or threat-research blog post that exercises this technique, then pair it with SIEM-side correlation before enabling in production.
High-fidelity detection of T1666 requires correlation
across multiple events. For example, a credential-validation call
followed by a reconnaissance chain (List* /
Describe*) within a short window from an unfamiliar
source. A single-event Sigma rule on
GetCallerIdentity alone fires constantly on
legitimate CLI, SDK and CI/CD activity.
Where you have a specific advisory, vulnerability disclosure or blog post that exercises T1666-style abuse, CloudSigma can generate a starting-point rule from that input. You then deploy it in your SIEM and combine it with the SIEM's native correlation features (timeframe joins across users, source-IP anomalies, impossible-travel checks). For T1666 specifically the generated rule is rarely sufficient on its own; pair it with the SIEM-side correlation logic before enabling in production.
T1666 involves modifying the cloud resource hierarchy to compromise security boundaries, such as moving projects between folders or altering organisational structures to inherit insecure policies. This IaaS technique targets the structural control plane where identity and permission inheritance are managed. DCV addresses T1666 by monitoring hierarchy mutation events across AWS Organizations, Azure Management Groups, and GCP Resource Manager. High fidelity detection depends on observing unexpected movements at the organisational root. DCV provides the visibility required to catch these structural shifts before they enable broader persistence.
T1666 has no cloud-audit-log signal of its own; DCV does not currently ship a finding mapped directly to it. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables (see Related techniques).
T1666 is part of MITRE ATT&CK TA0112 Defense Impairment: How adversaries disable or degrade the defences that would have spotted them.
T1666 requires multi-event correlation that exceeds a single Sigma rule's structure. CloudSigma can generate a starting-point rule from a CVE, vulnerability disclosure, or threat-research blog post that exercises T1666-style abuse; pair it with SIEM-side correlation logic before enabling in production.