Detect Temporary Elevated Cloud Access in CrowdStrike LogScale
Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.005 Temporary Elevated Cloud Access
- Canonical reference
- https://attack.mitre.org/techniques/T1548/005/
LogScale Detection Query
// T1548.005 — Temporary Elevated Cloud Access
// Requires AWS CloudTrail, Azure Audit, Azure SignIn, and GCP Audit data ingested into Falcon LogScale
(#type=aws-cloudtrail OR #type=azure-auditlogs OR #type=gcp-auditlogs OR #type=azure-signinlogs)
| case {
#type = "aws-cloudtrail"
and eventName = "AssumeRole"
and requestParameters.roleArn = /(?i)(AdministratorAccess|PowerUserAccess|OrganizationAccountAccessRole|FullAccess)/
=> detection_type := "AWS_AssumeRole_High_Priv" ;
#type = "azure-auditlogs"
and operationName = /(?i)(Activate role|Add member to role in PIM|Add eligible member to role)/
and result = "success"
and targetResources = /(?i)(Owner|Global Admin|Privileged Role Admin|Security Admin|Contributor)/
=> detection_type := "Azure_PIM_High_Priv_Activation" ;
#type = "gcp-auditlogs"
and protoPayload.methodName = /(?i)(setIamPolicy|impersonateServiceAccount|signJwt|generateIdToken)/
=> detection_type := "GCP_IAM_Impersonation" ;
#type = "azure-signinlogs"
and appDisplayName = /(?i)(PIM|Privileged Identity)/
and riskLevelDuringSignIn = /(?i)(high|medium)/
=> detection_type := "Azure_PIM_Risky_Signin" ;
*
=> drop()
}
| table([timestamp, user, src_ip, detection_type, #type, eventName, operationName, protoPayload.methodName, requestParameters.roleArn, targetResources, riskLevelDuringSignIn])
| sort(field=timestamp, order=desc)CrowdStrike Falcon LogScale (CQL) query detecting temporary elevated cloud access abuse across multi-cloud environments with cloud log data ingested into LogScale. Uses case expressions to classify and filter AWS AssumeRole events targeting administrative IAM policies, Azure PIM high-privilege role activations, GCP IAM service account impersonation calls, and risky Azure PIM sign-in events. Events not matching any pattern are dropped.
Data Sources
Required Tables
False Positives & Tuning
- Cloud platform engineers performing routine AssumeRole operations as part of automated infrastructure testing or chaos engineering exercises — validate against known test account IDs and scheduled test window timestamps
- Third-party cloud security scanning tools using IAM impersonation to perform read-only compliance checks or vulnerability assessments across accounts — whitelist known scanner principal ARNs or service account identifiers
- GCP Workforce Identity Federation flows where federated users legitimately authenticate and assume roles across organizational boundaries for approved SaaS or internal applications — confirm federation pool and provider configuration matches expected identity provider
Other platforms for T1548.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check Azure PIM Role Activations (Hunting Query)
Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.
- Test 2AWS AssumeRole via CLI
Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.
- Test 3GCP Service Account Impersonation Test
Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.
References (4)
- https://attack.mitre.org/techniques/T1548/005/
- https://cloud.google.com/blog/topics/threat-intelligence/exploring-critical-risk-google-workspace-domain-wide-delegation
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/
Unlock Pro Content
Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.