Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0442: Analytic 0442

Monitor for unauthorized or unusual modifications to cloud resource hierarchies such as AWS Organizations or Azure Management Groups. Defenders may observe anomalous calls to APIs like `LeaveOrganization`, `CreateAccount`, `MoveAccount`, or Azure subscription transfers. Correlate account activity with administrative role assignments, tenant transfers, or new subscription creation that deviates from organizational baselines. Multi-event correlation should track role elevation followed by hierarchy modifications within a short time window.

EnterpriseAN0442AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because changes to cloud resource hierarchies can alter who controls accounts, subscriptions, billing boundaries, policy inheritance, and security oversight. For leaders, the key issue is not just whether an API call occurred, but whether the organization can quickly prove that account movement, new account creation, organization departure, or subscription transfer activity was authorized and consistent with governance expectations.

Executive priority

Treat this as a cloud governance and incident decision point. Security and cloud leaders should ask whether AWS Organizations and Azure Management Group or subscription hierarchy changes are logged, reviewed, and tied to approved administrative activity. The priority is strongest where cloud accounts or subscriptions support regulated workloads, critical services, centralized security controls, or audit evidence requirements, because unauthorized hierarchy changes can undermine visibility, policy enforcement, and response coordination.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for unusual or unauthorized cloud hierarchy modifications on IaaS platforms. The supplied analytic specifically highlights AWS Organizations and Azure Management Groups, with API or activity examples including LeaveOrganization, CreateAccount, MoveAccount, and Azure subscription transfers. Detection should correlate hierarchy changes with administrative role assignments, tenant transfers, new subscription creation, and recent role elevation within a short time window. Because no ATT&CK tactic or relationship context is supplied, teams should avoid assuming a specific intrusion phase and instead focus on whether the activity deviates from the organization’s normal cloud administration baseline.

Likely telemetry

  • Cloud control-plane audit logs for AWS Organizations and Azure management activity
  • API activity for LeaveOrganization, CreateAccount, MoveAccount, and comparable hierarchy or subscription transfer operations
  • Administrative role assignment and role elevation events
  • Azure tenant transfer, subscription transfer, and new subscription creation records
  • Cloud account, subscription, and management group inventory or hierarchy change history

Detection direction

  • Baseline normal cloud hierarchy administration patterns, including expected administrators, source locations, time windows, and approved automation.
  • Correlate role elevation or new administrative role assignment followed by organization, account, management group, or subscription movement in a short time window.
  • Tune for legitimate cloud operations such as planned account vending, restructuring, mergers, migrations, or subscription lifecycle automation to reduce false positives.
  • Prioritize alerts where hierarchy changes affect accounts or subscriptions containing critical workloads, centralized logging, security tooling, or regulated environments.
  • Check for blind spots in cloud audit retention, cross-account visibility, tenant-level logging, and coverage of newly created or transferred subscriptions.

Mitigation priorities

  • Define and enforce governance for who may create, move, transfer, or remove cloud accounts and subscriptions from organizational structures.
  • Require approval and change evidence for cloud hierarchy modifications, especially for production, security, and regulated environments.
  • Limit administrative privileges for organization, management group, tenant transfer, and subscription transfer actions to a small set of authorized roles.
  • Ensure cloud audit logging and retention cover organization-level and tenant-level administrative actions, including newly created or moved resources.
  • Regularly reconcile cloud inventory and hierarchy state against approved architecture and ownership records.
Analyst notes and limits

This is a detection analytic, not a technique description. Its value is in validating whether cloud governance events are observable and correlated with identity administration activity. The strongest local enrichment will come from known cloud administrators, approved automation, account vending workflows, subscription ownership records, and change-management data.

The supplied ATT&CK object provides no official detection section, no tactics, and no relationship context. It supports IaaS-focused monitoring guidance only. Any assessment of exposure, active exploitation, adversary attribution, or actual detection coverage requires local cloud logs, identity records, and environment-specific baselines.

Official MITRE ATT&CK definition

Analytic 0442

Monitor for unauthorized or unusual modifications to cloud resource hierarchies such as AWS Organizations or Azure Management Groups. Defenders may observe anomalous calls to APIs like `LeaveOrganization`, `CreateAccount`, `MoveAccount`, or Azure subscription transfers. Correlate account activity with administrative role assignments, tenant transfers, or new subscription creation that deviates from organizational baselines. Multi-event correlation should track role elevation followed by hierarchy modifications within a short time window.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4480b8e9bd0e59bf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4480b8e9bd0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0442
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use