T1548.005 IBM QRadar · QRadar

Detect Temporary Elevated Cloud Access in IBM QRadar

Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.005 Temporary Elevated Cloud Access
Canonical reference
https://attack.mitre.org/techniques/T1548/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS source_type,
  QIDNAME(qid) AS event_name,
  CASE
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%AWS%'
      AND "Event Name" ILIKE '%AssumeRole%'
      AND (
        "Request Parameters" ILIKE '%AdministratorAccess%'
        OR "Request Parameters" ILIKE '%PowerUserAccess%'
        OR "Request Parameters" ILIKE '%OrganizationAccountAccessRole%'
        OR "Request Parameters" ILIKE '%FullAccess%'
      )
      THEN 'AWS_AssumeRole_High_Priv'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
      AND (
        "Operation Name" ILIKE '%Activate role%'
        OR "Operation Name" ILIKE '%Add member to role in PIM%'
        OR "Operation Name" ILIKE '%Add eligible member to role%'
      )
      AND (
        "Target Resource" ILIKE '%Owner%'
        OR "Target Resource" ILIKE '%Global Admin%'
        OR "Target Resource" ILIKE '%Privileged Role Admin%'
        OR "Target Resource" ILIKE '%Security Admin%'
        OR "Target Resource" ILIKE '%Contributor%'
      )
      THEN 'Azure_PIM_High_Priv_Activation'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Google%'
      AND (
        "Method Name" ILIKE '%setIamPolicy%'
        OR "Method Name" ILIKE '%impersonateServiceAccount%'
        OR "Method Name" ILIKE '%signJwt%'
        OR "Method Name" ILIKE '%generateIdToken%'
      )
      THEN 'GCP_IAM_Impersonation'
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
      AND (
        "App Display Name" ILIKE '%PIM%'
        OR "App Display Name" ILIKE '%Privileged Identity%'
      )
      AND (
        "Risk Level During SignIn" ILIKE '%high%'
        OR "Risk Level During SignIn" ILIKE '%medium%'
      )
      THEN 'Azure_PIM_Risky_Signin'
    ELSE NULL
  END AS detection_type
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOGSOURCETYPENAME(devicetype) ILIKE '%AWS%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Azure%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Google%'
  )
  AND (
    (
      "Event Name" ILIKE '%AssumeRole%'
      AND (
        "Request Parameters" ILIKE '%AdministratorAccess%'
        OR "Request Parameters" ILIKE '%PowerUserAccess%'
        OR "Request Parameters" ILIKE '%OrganizationAccountAccessRole%'
        OR "Request Parameters" ILIKE '%FullAccess%'
      )
    )
    OR (
      (
        "Operation Name" ILIKE '%Activate role%'
        OR "Operation Name" ILIKE '%Add member to role in PIM%'
        OR "Operation Name" ILIKE '%Add eligible member to role%'
      )
      AND (
        "Target Resource" ILIKE '%Owner%'
        OR "Target Resource" ILIKE '%Global Admin%'
        OR "Target Resource" ILIKE '%Privileged Role Admin%'
        OR "Target Resource" ILIKE '%Security Admin%'
        OR "Target Resource" ILIKE '%Contributor%'
      )
    )
    OR (
      "Method Name" ILIKE '%setIamPolicy%'
      OR "Method Name" ILIKE '%impersonateServiceAccount%'
      OR "Method Name" ILIKE '%signJwt%'
      OR "Method Name" ILIKE '%generateIdToken%'
    )
    OR (
      (
        "App Display Name" ILIKE '%PIM%'
        OR "App Display Name" ILIKE '%Privileged Identity%'
      )
      AND (
        "Risk Level During SignIn" ILIKE '%high%'
        OR "Risk Level During SignIn" ILIKE '%medium%'
      )
    )
  )
HAVING detection_type IS NOT NULL
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting temporary elevated cloud access abuse across AWS CloudTrail (AssumeRole to administrative policies), Azure Active Directory audit logs (PIM high-privilege role activation), GCP Cloud Audit logs (IAM impersonation calls), and Azure sign-in logs (risky PIM authentication events). Classifies events by detection type using CASE expressions and filters to cloud DSM source types.

Data Sources

AWS CloudTrail DSMMicrosoft Azure Active Directory DSMGoogle Cloud Platform Audit DSM

Required Tables

events

False Positives & Tuning

  • Security operations center analysts activating PIM roles for approved incident response tasks — correlate against open incident tickets and known analyst accounts to suppress during active investigations
  • Infrastructure-as-code automation tools (Terraform, Pulumi, AWS CDK) using cross-account role assumption during planned deployment runs — validate against known automation IAM principals and deployment schedule windows
  • GCP Workload Identity Federation operations where legitimate cross-project or cross-organization service account impersonation is required by approved application design — check federation configuration and expected calling projects
Download portable Sigma rule (.yml)

Other platforms for T1548.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check Azure PIM Role Activations (Hunting Query)

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.

  2. Test 2AWS AssumeRole via CLI

    Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.

  3. Test 3GCP Service Account Impersonation Test

    Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1136.003Cloud AccountT1530Data from Cloud Storage

Same Tactic: Privilege Escalation

Popular Detections