Detect Temporary Elevated Cloud Access in Google Chronicle
Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.005 Temporary Elevated Cloud Access
- Canonical reference
- https://attack.mitre.org/techniques/T1548/005/
YARA-L Detection Query
rule T1548_005_Temporary_Elevated_Cloud_Access {
meta:
author = "Argus Detection Engineering"
description = "Detects temporary elevated cloud access abuse: AWS AssumeRole to high-privilege policies, Azure PIM high-privilege role activation, risky Azure PIM sign-ins, and GCP IAM service account impersonation (MITRE ATT&CK T1548.005)"
severity = "HIGH"
mitre_attack_tactic = "Privilege Escalation"
mitre_attack_technique = "T1548.005"
reference = "https://attack.mitre.org/techniques/T1548/005/"
version = "1.0"
events:
(
(
$e.metadata.vendor_name = "AMAZON"
and $e.metadata.product_event_type = "AssumeRole"
and $e.security_result.outcome = "SUCCESS"
and (
$e.target.resource.name = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole|FullAccess)/
or $e.target.resource.attribute.labels["roleArn"] = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole)/
)
)
or
(
$e.metadata.vendor_name = "MICROSOFT"
and $e.metadata.product_name = "Azure Active Directory"
and $e.metadata.product_event_type = /(?i)(Activate role|Add member to role in PIM completed|Add eligible member to role)/
and $e.security_result.outcome = "SUCCESS"
and $e.target.resource.name = /(?i)(Owner|Contributor|Global Administrator|Privileged Role Administrator|Security Administrator)/
)
or
(
$e.metadata.vendor_name = "GOOGLE"
and $e.metadata.product_name = "Google Cloud Platform"
and $e.metadata.product_event_type = /(?i)(setIamPolicy|impersonateServiceAccount|signJwt|generateIdToken)/
)
or
(
$e.metadata.vendor_name = "MICROSOFT"
and $e.metadata.product_name = "Azure Active Directory"
and $e.metadata.event_type = "USER_LOGIN"
and $e.target.application = /(?i)(PIM|Privileged Identity Management)/
and (
$e.security_result.severity = "HIGH"
or $e.security_result.severity = "MEDIUM"
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting temporary elevated cloud access abuse across AWS, Azure, and GCP using Chronicle's UDM normalized event model. Covers AWS AssumeRole targeting administrative IAM policies, Azure PIM high-privilege role activations with successful outcomes, GCP IAM service account impersonation and JWT token signing, and risky Azure PIM authentication sessions.
Data Sources
Required Tables
False Positives & Tuning
- Authorized break-glass emergency access procedures where on-call engineers legitimately assume elevated roles during critical production incidents — verify against incident management system and restrict expected activation window to incident duration
- Cloud security posture management (CSPM) tools such as Wiz, Orca, or Prisma Cloud that impersonate service accounts to enumerate IAM permissions for compliance assessments — confirm against known CSPM service account identifiers and scheduled scan windows
- Azure PIM activations that trigger high-severity risk scores due to impossible travel detection when administrators VPN through different regions — cross-reference user travel records or known VPN egress IPs before escalating
Other platforms for T1548.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check Azure PIM Role Activations (Hunting Query)
Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.
- Test 2AWS AssumeRole via CLI
Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.
- Test 3GCP Service Account Impersonation Test
Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.
References (4)
- https://attack.mitre.org/techniques/T1548/005/
- https://cloud.google.com/blog/topics/threat-intelligence/exploring-critical-risk-google-workspace-domain-wide-delegation
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/
Unlock Pro Content
Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.