T1548.005 Microsoft Sentinel · KQL

Detect Temporary Elevated Cloud Access in Microsoft Sentinel

Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.005 Temporary Elevated Cloud Access
Canonical reference
https://attack.mitre.org/techniques/T1548/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1548.005 — Temporary Elevated Cloud Access detection
// Covers AWS AssumeRole, Azure PIM, and Google Workspace delegation abuse
// Part 1: Detect unusual AssumeRole patterns in Azure (sign-in logs)
let AzurePIMAbuse = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where AppDisplayName has_any ("Microsoft Azure", "Azure Portal", "PIM", "Privileged Identity")
| where ConditionalAccessStatus != "success"
    or RiskLevelDuringSignIn !in ("none", "")
| extend DetectionType = "Azure_PIM_Risk_Signin"
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
          AppDisplayName, ConditionalAccessStatus, RiskLevelDuringSignIn, DetectionType;
// Part 2: Detect Azure role activation outside expected patterns
let AzureRoleActivation = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Add member to role in PIM completed",
                               "Activate role", "Add eligible member to role")
| where Result =~ "success"
| extend TargetRole = tostring(TargetResources[0].displayName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where TargetRole has_any ("Owner", "Contributor", "Global Admin",
                            "Privileged Role Admin", "Security Admin")
| extend DetectionType = "Azure_High_Priv_Role_Activated"
| project TimeGenerated, Actor, TargetRole, Result, DetectionType;
// Part 3: Detect Cloud Shell or CLI role assumption from new locations
let CloudShellAbuse = SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("Azure Cloud Shell", "Azure CLI", "Azure PowerShell")
| where RiskLevelDuringSignIn !in ("none", "")
    or NetworkLocationDetails contains "unfamiliarFeatures"
| extend DetectionType = "Cloud_Shell_Risk_Login"
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          RiskLevelDuringSignIn, DetectionType;
union AzurePIMAbuse, AzureRoleActivation, CloudShellAbuse
| sort by TimeGenerated desc
high severity medium confidence

Three-part detection for temporary elevated cloud access abuse targeting Azure/Entra ID. Part 1 detects risky sign-ins to Azure PIM or privileged management applications. Part 2 monitors Azure Audit Logs for activation of high-privilege roles (Owner, Global Admin, Security Admin) via PIM. Part 3 flags Cloud Shell/CLI access from risky sign-in contexts. Adapt queries for AWS CloudTrail AssumeRole or GCP audit logs as needed.

Data Sources

Cloud Service: Cloud Service ModificationLogon Session: Logon Session CreationAzure AD Sign-in LogsAzure AD Audit Logs

Required Tables

SigninLogsAuditLogs

False Positives & Tuning

  • Authorized IT administrators activating PIM roles for planned maintenance activities
  • Security team members elevating privileges for incident response during known incidents
  • DevOps engineers assuming cross-account roles for authorized deployment activities
  • Automated pipelines that assume roles for CI/CD operations in cloud infrastructure
Download portable Sigma rule (.yml)

Other platforms for T1548.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check Azure PIM Role Activations (Hunting Query)

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.

  2. Test 2AWS AssumeRole via CLI

    Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.

  3. Test 3GCP Service Account Impersonation Test

    Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.001Setuid and SetgidT1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1136.003Cloud AccountT1530Data from Cloud Storage

Same Tactic: Privilege Escalation

Popular Detections