MITRE ATT&CK Technique
Description
Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. IaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources) Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim’s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022) In AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS RE:Inforce Threat Detection 2024)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-09-25T14:16:19.234Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to modify hierarchical structures in '
'infrastructure-as-a-service (IaaS) environments in order to '
'evade defenses. \n'
'\n'
'IaaS environments often group resources into a hierarchy, '
'enabling improved resource management and application of '
'policies to relevant groups. Hierarchical structures differ '
'among cloud providers. For example, in AWS environments, '
'multiple accounts can be grouped under a single organization, '
'while in Azure environments, multiple subscriptions can be '
'grouped under a single management group.(Citation: AWS '
'Organizations)(Citation: Microsoft Azure Resources)\n'
'\n'
'Adversaries may add, delete, or otherwise modify resource '
'groups within an IaaS hierarchy. For example, in Azure '
'environments, an adversary who has gained access to a Global '
'Administrator account may create new subscriptions in which '
'to deploy resources. They may also engage in subscription '
'hijacking by transferring an existing pay-as-you-go '
'subscription from a victim tenant to an adversary-controlled '
'tenant. This will allow the adversary to use the victim’s '
'compute resources without generating logs on the victim '
'tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: '
'Microsoft Subscription Hijacking 2022)\n'
'\n'
'In AWS environments, adversaries with appropriate permissions '
'in a given account may call the `LeaveOrganization` API, '
'causing the account to be severed from the AWS Organization '
'to which it was tied and removing any Service Control '
'Policies, guardrails, or restrictions imposed upon it by its '
'former Organization. Alternatively, adversaries may call the '
'`CreateAccount` API in order to create a new account within '
'an AWS Organization. This account will use the same payment '
'methods registered to the payment account but may not be '
'subject to existing detections or Service Control '
'Policies.(Citation: AWS RE:Inforce Threat Detection 2024)',
'external_references': [{'external_id': 'T1666',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1666'},
{'description': 'AWS. (n.d.). Terminology and '
'concepts for AWS Organizations. '
'Retrieved September 25, 2024.',
'source_name': 'AWS Organizations',
'url': 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html'},
{'description': 'Ben Fletcher and Steve de Vera. '
'(2024, June). New tactics and '
'techniques for proactive threat '
'detection. Retrieved September 25, '
'2024.',
'source_name': 'AWS RE:Inforce Threat Detection 2024',
'url': 'https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf'},
{'description': 'Dor Edry. (2022, August 24). Hunt '
'for compromised Azure subscriptions '
'using Microsoft Defender for Cloud '
'Apps. Retrieved September 5, 2023.',
'source_name': 'Microsoft Subscription Hijacking '
'2022',
'url': 'https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121'},
{'description': 'Microsoft Azure. (2024, May 31). '
'Organize your Azure resources '
'effectively. Retrieved September 25, '
'2024.',
'source_name': 'Microsoft Azure Resources',
'url': 'https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, September 14). Peach '
'Sandstorm password spray campaigns '
'enable intelligence collection at '
'high-value targets. Retrieved '
'September 18, 2023.',
'source_name': 'Microsoft Peach Sandstorm 2023',
'url': 'https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/'}],
'id': 'attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T22:49:45.874Z',
'name': 'Modify Cloud Resource Hierarchy',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.0'}