T1548.005 Elastic Security · Elastic

Detect Temporary Elevated Cloud Access in Elastic Security

Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.005 Temporary Elevated Cloud Access
Canonical reference
https://attack.mitre.org/techniques/T1548/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  (
    event.dataset == "aws.cloudtrail" and
    event.action == "AssumeRole" and
    event.outcome == "success" and
    (
      aws.cloudtrail.request_parameters like~ "*AdministratorAccess*" or
      aws.cloudtrail.request_parameters like~ "*PowerUserAccess*" or
      aws.cloudtrail.request_parameters like~ "*OrganizationAccountAccessRole*" or
      aws.cloudtrail.request_parameters like~ "*FullAccess*"
    )
  ) or
  (
    event.dataset == "azure.auditlogs" and
    event.outcome == "success" and
    (
      azure.auditlogs.operation_name like~ "*Add member to role in PIM completed*" or
      azure.auditlogs.operation_name like~ "*Activate role*" or
      azure.auditlogs.operation_name like~ "*Add eligible member to role*"
    ) and
    (
      azure.auditlogs.properties.target_resources like~ "*Owner*" or
      azure.auditlogs.properties.target_resources like~ "*Global Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Privileged Role Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Security Administrator*" or
      azure.auditlogs.properties.target_resources like~ "*Contributor*"
    )
  ) or
  (
    event.dataset == "googlecloud.audit" and
    (
      gcp.audit.method_name like~ "*setIamPolicy*" or
      gcp.audit.method_name like~ "*impersonateServiceAccount*" or
      gcp.audit.method_name like~ "*signJwt*" or
      gcp.audit.method_name like~ "*generateIdToken*"
    )
  ) or
  (
    event.dataset == "azure.signinlogs" and
    (
      azure.signinlogs.properties.app_display_name like~ "*PIM*" or
      azure.signinlogs.properties.app_display_name like~ "*Privileged Identity*"
    ) and
    azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium")
  )
)
high severity high confidence

Detects temporary elevated cloud access abuse across AWS (AssumeRole to administrative IAM policies), Azure (PIM role activation for high-privilege roles and risky PIM sign-ins), and GCP (IAM service account impersonation and policy manipulation). Covers MITRE ATT&CK T1548.005 across all three major cloud providers using Elastic integration indices.

Data Sources

AWS CloudTrail (Elastic AWS integration)Azure Audit Logs (Elastic Azure integration)Azure Sign-in Logs (Elastic Azure integration)GCP Cloud Audit Logs (Elastic GCP integration)

Required Tables

logs-aws.cloudtrail-*logs-azure.auditlogs-*logs-azure.signinlogs-*logs-gcp.audit-*

False Positives & Tuning

  • Legitimate IT administrators activating Azure PIM roles during approved maintenance windows with valid change management tickets — cross-reference against ServiceNow or Jira change records
  • Automated CI/CD pipelines (GitHub Actions, Jenkins, Terraform Cloud) assuming high-privilege AWS roles for approved infrastructure deployments — check for known automation source IPs and IAM role naming conventions
  • GCP Cloud Build jobs or Dataflow pipelines that legitimately impersonate service accounts as part of their approved execution model — validate against known build project IDs and scheduled execution times
Download portable Sigma rule (.yml)

Other platforms for T1548.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check Azure PIM Role Activations (Hunting Query)

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.

  2. Test 2AWS AssumeRole via CLI

    Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.

  3. Test 3GCP Service Account Impersonation Test

    Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1136.003Cloud AccountT1530Data from Cloud Storage

Same Tactic: Privilege Escalation

Popular Detections