Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0155: Detection Strategy for Modify Cloud Resource Hierarchy

DET0155 is a MITRE detection strategy for spotting changes to cloud resource hierarchies associated with ATT&CK technique T1666, Modify Cloud Resource Hier...

EnterpriseDET0155Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0155 is a MITRE detection strategy for spotting changes to cloud resource hierarchies associated with ATT&CK technique T1666, Modify Cloud Resource Hierarchy. The business significance is that hierarchy changes in IaaS environments can affect where policies, monitoring, and administrative controls apply. If an adversary can move or restructure cloud accounts, subscriptions, or similar groupings, they may be trying to weaken defenses rather than directly disrupt systems.

Executive priority

Treat this as a cloud governance and defense-assurance issue. Security leaders should ask whether cloud hierarchy changes are logged, reviewed, and tied to approved change processes. The priority is not only detecting a suspicious action, but proving that policy inheritance, monitoring scope, and administrative oversight remain intact after organizational, account, or subscription-level changes.

Technical view

The supplied ATT&CK object has no official detection text and no standalone platforms or tactics, but it detects T1666, which is an enterprise ATT&CK defense-impairment technique for IaaS. SOC, cloud security, and IR teams should validate visibility into cloud control-plane events that modify resource hierarchy relationships, such as grouping, moving, attaching, detaching, or reorganizing cloud resource containers where policies are inherited. Detection logic should be evaluated against legitimate administrative changes, cloud migration activity, mergers or reorganizations, and automated infrastructure management to avoid excessive false positives.

Likely telemetry

  • Cloud control-plane audit logs for hierarchy, organization, account, subscription, folder, or management-group changes
  • Identity and access records showing which principal performed the hierarchy change
  • Change-management records or deployment pipeline logs for approved cloud governance changes
  • Cloud policy or configuration-state history showing inherited control changes before and after the event
  • Administrative session context such as source location, authentication method, and role used where available

Detection direction

  • Confirm that cloud hierarchy modification events are collected centrally and retained long enough for incident response and audit review.
  • Correlate hierarchy changes with the actor identity, role privilege, approval record, and timing of related policy or monitoring changes.
  • Tune detections to distinguish expected cloud administration from unusual hierarchy changes involving sensitive production, security, logging, or policy-governed resource groupings.
  • Look for relationship-driven context: because T1666 is defense-impairment, prioritize events that could alter policy inheritance or reduce defensive visibility.
  • Identify blind spots where cloud provider organization-level logs are not integrated into the SOC or where only workload logs are collected.

Mitigation priorities

  • Establish formal approval and review for cloud hierarchy changes affecting IaaS governance scope.
  • Restrict permissions for modifying organizations, accounts, subscriptions, folders, or equivalent hierarchy constructs to tightly governed administrative roles.
  • Enable and centralize control-plane audit logging for hierarchy and policy-scope changes.
  • Regularly validate that security policies, monitoring, and logging still apply after hierarchy modifications.
  • Use incident response playbooks that include checking recent hierarchy changes when investigating suspected cloud defense impairment.
Analyst notes and limits

This take is derived from the DET0155 detection-strategy object and its stated relationship to T1666, Modify Cloud Resource Hierarchy. The key defensive value is validating governance-plane visibility and change control around cloud hierarchy structures, because those structures can determine where security policies and monitoring apply.

The DET0155 object provides no official description, no official detection text, and no explicit platforms or tactics of its own. Platform and tactic context comes only from the related T1666 technique, which lists IaaS and defense-impairment. Local cloud architecture, provider-specific hierarchy models, and available audit logs are required to turn this into production detection logic.

Official MITRE ATT&CK definition

Detection Strategy for Modify Cloud Resource Hierarchy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1666 Modify Cloud Resource Hierarchy This object detects Modify Cloud Resource Hierarchy.
Relationship explorer

All related ATT&CK context

detects · Technique T1666: Modify Cloud Resource Hierarchy Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3b1f7d8a5c293294...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3b1f7d8a5c29…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0155
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use