T1548.005

Temporary Elevated Cloud Access

Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.

Microsoft Sentinel / Defender

kusto

// T1548.005 — Temporary Elevated Cloud Access detection
// Covers AWS AssumeRole, Azure PIM, and Google Workspace delegation abuse
// Part 1: Detect unusual AssumeRole patterns in Azure (sign-in logs)
let AzurePIMAbuse = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where AppDisplayName has_any ("Microsoft Azure", "Azure Portal", "PIM", "Privileged Identity")
| where ConditionalAccessStatus != "success"
    or RiskLevelDuringSignIn !in ("none", "")
| extend DetectionType = "Azure_PIM_Risk_Signin"
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
          AppDisplayName, ConditionalAccessStatus, RiskLevelDuringSignIn, DetectionType;
// Part 2: Detect Azure role activation outside expected patterns
let AzureRoleActivation = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Add member to role in PIM completed",
                               "Activate role", "Add eligible member to role")
| where Result =~ "success"
| extend TargetRole = tostring(TargetResources[0].displayName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where TargetRole has_any ("Owner", "Contributor", "Global Admin",
                            "Privileged Role Admin", "Security Admin")
| extend DetectionType = "Azure_High_Priv_Role_Activated"
| project TimeGenerated, Actor, TargetRole, Result, DetectionType;
// Part 3: Detect Cloud Shell or CLI role assumption from new locations
let CloudShellAbuse = SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("Azure Cloud Shell", "Azure CLI", "Azure PowerShell")
| where RiskLevelDuringSignIn !in ("none", "")
    or NetworkLocationDetails contains "unfamiliarFeatures"
| extend DetectionType = "Cloud_Shell_Risk_Login"
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          RiskLevelDuringSignIn, DetectionType;
union AzurePIMAbuse, AzureRoleActivation, CloudShellAbuse
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Logon Session: Logon Session Creation Azure AD Sign-in Logs Azure AD Audit Logs

Required Tables

SigninLogs AuditLogs

False Positives

Authorized IT administrators activating PIM roles for planned maintenance activities
Security team members elevating privileges for incident response during known incidents
DevOps engineers assuming cross-account roles for authorized deployment activities
Automated pipelines that assume roles for CI/CD operations in cloud infrastructure

Elastic Security (EQL)

eql

any where (
  (
    event.dataset == "aws.cloudtrail" and
    event.action == "AssumeRole" and
    event.outcome == "success" and
    (
      aws.cloudtrail.request_parameters like~ "*AdministratorAccess*" or
      aws.cloudtrail.request_parameters like~ "*PowerUserAccess*" or
      aws.cloudtrail.request_parameters like~ "*OrganizationAccountAccessRole*" or
      aws.cloudtrail.request_parameters like~ "*FullAccess*"
    )
  ) or
  (
    event.dataset == "azure.auditlogs" and
    event.outcome == "success" and
    (
      azure.auditlogs.operation_name like~ "*Add member to role in PIM completed*" or
      azure.auditlogs.operation_name like~ "*Activate role*" or
      azure.auditlogs.operation_name like~ "*Add eligible member to role*"
    ) and
    (
      azure.auditlogs.properties.target_resources like~ "*Owner*" or
      azure.auditlogs.properties.target_resources like~ "*Global Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Privileged Role Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Security Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Contributor*"
    )
  ) or
  (
    event.dataset == "googlecloud.audit" and
    (
      gcp.audit.method_name like~ "*setIamPolicy*" or
      gcp.audit.method_name like~ "*impersonateServiceAccount*" or
      gcp.audit.method_name like~ "*signJwt*" or
      gcp.audit.method_name like~ "*generateIdToken*"
    )
  ) or
  (
    event.dataset == "azure.signinlogs" and
    (
      azure.signinlogs.properties.app_display_name like~ "*PIM*" or
      azure.signinlogs.properties.app_display_name like~ "*Privileged Identity*"
    ) and
    azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium")
  )
)

high severity high confidence

Data Sources

AWS CloudTrail (Elastic AWS integration) Azure Audit Logs (Elastic Azure integration) Azure Sign-in Logs (Elastic Azure integration) GCP Cloud Audit Logs (Elastic GCP integration)

Required Tables

logs-aws.cloudtrail-* logs-azure.auditlogs-* logs-azure.signinlogs-* logs-gcp.audit-*

False Positives

Legitimate IT administrators activating Azure PIM roles during approved maintenance windows with valid change management tickets — cross-reference against ServiceNow or Jira change records
Automated CI/CD pipelines (GitHub Actions, Jenkins, Terraform Cloud) assuming high-privilege AWS roles for approved infrastructure deployments — check for known automation source IPs and IAM role naming conventions
GCP Cloud Build jobs or Dataflow pipelines that legitimately impersonate service accounts as part of their approved execution model — validate against known build project IDs and scheduled execution times

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS source_type,
  QIDNAME(qid) AS event_name,
  CASE
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%AWS%'
      AND "Event Name" ILIKE '%AssumeRole%'
      AND (
        "Request Parameters" ILIKE '%AdministratorAccess%'
        OR "Request Parameters" ILIKE '%PowerUserAccess%'
        OR "Request Parameters" ILIKE '%OrganizationAccountAccessRole%'
        OR "Request Parameters" ILIKE '%FullAccess%'
      )
      THEN 'AWS_AssumeRole_High_Priv'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
      AND (
        "Operation Name" ILIKE '%Activate role%'
        OR "Operation Name" ILIKE '%Add member to role in PIM%'
        OR "Operation Name" ILIKE '%Add eligible member to role%'
      )
      AND (
        "Target Resource" ILIKE '%Owner%'
        OR "Target Resource" ILIKE '%Global Admin%'
        OR "Target Resource" ILIKE '%Privileged Role Admin%'
        OR "Target Resource" ILIKE '%Security Admin%'
        OR "Target Resource" ILIKE '%Contributor%'
      )
      THEN 'Azure_PIM_High_Priv_Activation'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Google%'
      AND (
        "Method Name" ILIKE '%setIamPolicy%'
        OR "Method Name" ILIKE '%impersonateServiceAccount%'
        OR "Method Name" ILIKE '%signJwt%'
        OR "Method Name" ILIKE '%generateIdToken%'
      )
      THEN 'GCP_IAM_Impersonation'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
      AND (
        "App Display Name" ILIKE '%PIM%'
        OR "App Display Name" ILIKE '%Privileged Identity%'
      )
      AND (
        "Risk Level During SignIn" ILIKE '%high%'
        OR "Risk Level During SignIn" ILIKE '%medium%'
      )
      THEN 'Azure_PIM_Risky_Signin'
    ELSE NULL
  END AS detection_type
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOGSOURCETYPENAME(devicetype) ILIKE '%AWS%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Google%'
  )
  AND (
    (
      "Event Name" ILIKE '%AssumeRole%'
      AND (
        "Request Parameters" ILIKE '%AdministratorAccess%'
        OR "Request Parameters" ILIKE '%PowerUserAccess%'
        OR "Request Parameters" ILIKE '%OrganizationAccountAccessRole%'
        OR "Request Parameters" ILIKE '%FullAccess%'
      )
    )
    OR (
      (
        "Operation Name" ILIKE '%Activate role%'
        OR "Operation Name" ILIKE '%Add member to role in PIM%'
        OR "Operation Name" ILIKE '%Add eligible member to role%'
      )
      AND (
        "Target Resource" ILIKE '%Owner%'
        OR "Target Resource" ILIKE '%Global Admin%'
        OR "Target Resource" ILIKE '%Privileged Role Admin%'
        OR "Target Resource" ILIKE '%Security Admin%'
        OR "Target Resource" ILIKE '%Contributor%'
      )
    )
    OR (
      "Method Name" ILIKE '%setIamPolicy%'
      OR "Method Name" ILIKE '%impersonateServiceAccount%'
      OR "Method Name" ILIKE '%signJwt%'
      OR "Method Name" ILIKE '%generateIdToken%'
    )
    OR (
      (
        "App Display Name" ILIKE '%PIM%'
        OR "App Display Name" ILIKE '%Privileged Identity%'
      )
      AND (
        "Risk Level During SignIn" ILIKE '%high%'
        OR "Risk Level During SignIn" ILIKE '%medium%'
      )
    )
  )
HAVING detection_type IS NOT NULL
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

AWS CloudTrail DSM Microsoft Azure Active Directory DSM Google Cloud Platform Audit DSM

Required Tables

events

False Positives

Security operations center analysts activating PIM roles for approved incident response tasks — correlate against open incident tickets and known analyst accounts to suppress during active investigations
Infrastructure-as-code automation tools (Terraform, Pulumi, AWS CDK) using cross-account role assumption during planned deployment runs — validate against known automation IAM principals and deployment schedule windows
GCP Workload Identity Federation operations where legitimate cross-project or cross-organization service account impersonation is required by approved application design — check federation configuration and expected calling projects

Sumo Logic CSE

sql

(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/audit OR _sourceCategory=azure/signinlogs OR _sourceCategory=gcp/audit)
| json auto
| where (
    (_sourceCategory matches "*aws/cloudtrail*"
      and eventName = "AssumeRole"
      and (
        requestParameters matches "*AdministratorAccess*"
        or requestParameters matches "*PowerUserAccess*"
        or requestParameters matches "*OrganizationAccountAccessRole*"
        or requestParameters matches "*FullAccess*"
      )
    )
    or (_sourceCategory matches "*azure/audit*"
      and (
        operationName matches "*Activate role*"
        or operationName matches "*Add member to role in PIM*"
        or operationName matches "*Add eligible member to role*"
      )
      and (
        targetResource matches "*Owner*"
        or targetResource matches "*Global Admin*"
        or targetResource matches "*Privileged Role Admin*"
        or targetResource matches "*Security Admin*"
        or targetResource matches "*Contributor*"
      )
    )
    or (_sourceCategory matches "*gcp/audit*"
      and (
        methodName matches "*setIamPolicy*"
        or methodName matches "*impersonateServiceAccount*"
        or methodName matches "*signJwt*"
        or methodName matches "*generateIdToken*"
      )
    )
    or (_sourceCategory matches "*azure/signinlogs*"
      and (
        appDisplayName matches "*PIM*"
        or appDisplayName matches "*Privileged Identity*"
      )
      and (riskLevelDuringSignIn = "high" or riskLevelDuringSignIn = "medium")
    )
  )
| eval detection_type = if(_sourceCategory matches "*aws/cloudtrail*" and eventName = "AssumeRole",
    "AWS_AssumeRole_High_Priv",
    if(_sourceCategory matches "*azure/audit*"
      and (operationName matches "*Activate role*" or operationName matches "*Add member to role in PIM*" or operationName matches "*Add eligible member to role*"),
      "Azure_PIM_High_Priv_Activation",
      if(_sourceCategory matches "*gcp/audit*",
        "GCP_IAM_Impersonation",
        if(_sourceCategory matches "*azure/signinlogs*",
          "Azure_PIM_Risky_Signin",
          "Unknown"
        )
      )
    )
  )
| where detection_type != "Unknown"
| fields _messageTime, user, src_ip, detection_type, _sourceCategory
| sort by _messageTime desc

high severity high confidence

Data Sources

AWS CloudTrail Azure Audit Logs Azure Sign-in Logs GCP Cloud Audit Logs

Required Tables

aws/cloudtrail azure/audit azure/signinlogs gcp/audit

False Positives

Legitimate cloud administrators using just-in-time access workflows with valid change management approvals — cross-reference Sumo Logic alerts against ITSM ticket numbers recorded in the audit log justification fields
DevOps automation using AWS cross-account AssumeRole for approved multi-account deployments or centralized logging configurations — verify caller identity matches known automation IAM roles (e.g., deploy-role, pipeline-role)
Azure PIM role activations triggered during known on-call rotation periods where engineers receive elevated access for scheduled duties — suppress alerts that match on-call schedule data from PagerDuty or OpsGenie integrations

Google Chronicle / SecOps

yaral

rule T1548_005_Temporary_Elevated_Cloud_Access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects temporary elevated cloud access abuse: AWS AssumeRole to high-privilege policies, Azure PIM high-privilege role activation, risky Azure PIM sign-ins, and GCP IAM service account impersonation (MITRE ATT&CK T1548.005)"
    severity = "HIGH"
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548.005"
    reference = "https://attack.mitre.org/techniques/T1548/005/"
    version = "1.0"

  events:
    (
      (
        $e.metadata.vendor_name = "AMAZON"
        and $e.metadata.product_event_type = "AssumeRole"
        and $e.security_result.outcome = "SUCCESS"
        and (
          $e.target.resource.name = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole|FullAccess)/
          or $e.target.resource.attribute.labels["roleArn"] = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole)/
        )
      )
      or
      (
        $e.metadata.vendor_name = "MICROSOFT"
        and $e.metadata.product_name = "Azure Active Directory"
        and $e.metadata.product_event_type = /(?i)(Activate role|Add member to role in PIM completed|Add eligible member to role)/
        and $e.security_result.outcome = "SUCCESS"
        and $e.target.resource.name = /(?i)(Owner|Contributor|Global Administrator|Privileged Role Administrator|Security Administrator)/
      )
      or
      (
        $e.metadata.vendor_name = "GOOGLE"
        and $e.metadata.product_name = "Google Cloud Platform"
        and $e.metadata.product_event_type = /(?i)(setIamPolicy|impersonateServiceAccount|signJwt|generateIdToken)/
      )
      or
      (
        $e.metadata.vendor_name = "MICROSOFT"
        and $e.metadata.product_name = "Azure Active Directory"
        and $e.metadata.event_type = "USER_LOGIN"
        and $e.target.application = /(?i)(PIM|Privileged Identity Management)/
        and (
          $e.security_result.severity = "HIGH"
          or $e.security_result.severity = "MEDIUM"
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

AWS CloudTrail (Chronicle AWS log parser) Azure Active Directory Audit Logs (Chronicle Azure AD parser) Azure Active Directory Sign-in Logs (Chronicle Azure AD parser) GCP Cloud Audit Logs (Chronicle GCP parser)

Required Tables

USER_RESOURCE_ACCESS UDM events USER_LOGIN UDM events

False Positives

Authorized break-glass emergency access procedures where on-call engineers legitimately assume elevated roles during critical production incidents — verify against incident management system and restrict expected activation window to incident duration
Cloud security posture management (CSPM) tools such as Wiz, Orca, or Prisma Cloud that impersonate service accounts to enumerate IAM permissions for compliance assessments — confirm against known CSPM service account identifiers and scheduled scan windows
Azure PIM activations that trigger high-severity risk scores due to impossible travel detection when administrators VPN through different regions — cross-reference user travel records or known VPN egress IPs before escalating

CrowdStrike LogScale (CQL)

cql

// T1548.005 — Temporary Elevated Cloud Access
// Requires AWS CloudTrail, Azure Audit, Azure SignIn, and GCP Audit data ingested into Falcon LogScale
(#type=aws-cloudtrail OR #type=azure-auditlogs OR #type=gcp-auditlogs OR #type=azure-signinlogs)
| case {
    #type = "aws-cloudtrail"
    and eventName = "AssumeRole"
    and requestParameters.roleArn = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole|FullAccess)/
      => detection_type := "AWS_AssumeRole_High_Priv" ;
    #type = "azure-auditlogs"
    and operationName = /(?i)(Activate role|Add member to role in PIM|Add eligible member to role)/
    and result = "success"
    and targetResources = /(?i)(Owner|Global Admin|Privileged Role Admin|Security Admin|Contributor)/
      => detection_type := "Azure_PIM_High_Priv_Activation" ;
    #type = "gcp-auditlogs"
    and protoPayload.methodName = /(?i)(setIamPolicy|impersonateServiceAccount|signJwt|generateIdToken)/
      => detection_type := "GCP_IAM_Impersonation" ;
    #type = "azure-signinlogs"
    and appDisplayName = /(?i)(PIM|Privileged Identity)/
    and riskLevelDuringSignIn = /(?i)(high|medium)/
      => detection_type := "Azure_PIM_Risky_Signin" ;
    *
      => drop()
  }
| table([timestamp, user, src_ip, detection_type, #type, eventName, operationName, protoPayload.methodName, requestParameters.roleArn, targetResources, riskLevelDuringSignIn])
| sort(field=timestamp, order=desc)

high severity medium confidence

Data Sources

AWS CloudTrail (Falcon LogScale AWS ingest) Azure Active Directory Audit Logs (Falcon LogScale Azure ingest) Azure Active Directory Sign-in Logs (Falcon LogScale Azure ingest) GCP Cloud Audit Logs (Falcon LogScale GCP ingest)

Required Tables

aws-cloudtrail azure-auditlogs gcp-auditlogs azure-signinlogs

False Positives

Cloud platform engineers performing routine AssumeRole operations as part of automated infrastructure testing or chaos engineering exercises — validate against known test account IDs and scheduled test window timestamps
Third-party cloud security scanning tools using IAM impersonation to perform read-only compliance checks or vulnerability assessments across accounts — whitelist known scanner principal ARNs or service account identifiers
GCP Workforce Identity Federation flows where federated users legitimately authenticate and assume roles across organizational boundaries for approved SaaS or internal applications — confirm federation pool and provider configuration matches expected identity provider

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and Setgid T1548.002Bypass User Account Control T1548.003Sudo and Sudo Caching T1548.004Elevated Execution with Prompt T1548.006TCC Manipulation

Temporary Elevated Cloud Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections