Detect Temporary Elevated Cloud Access in Splunk
Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.005 Temporary Elevated Cloud Access
- Canonical reference
- https://attack.mitre.org/techniques/T1548/005/
SPL Detection Query
index=azure_audit OR index=aws_cloudtrail OR index=gcp_audit
| eval detection_type=case(
sourcetype="azure:audit" AND
match(_raw, "(?i)(Activate role|Add member to role.*PIM|eligible member to role)") AND
match(_raw, "(?i)(Owner|Global Admin|Privileged Role|Security Admin|Contributor)"),
"Azure_High_Priv_PIM_Activation",
sourcetype="aws:cloudtrail" AND match(eventName, "AssumeRole") AND
match(requestParameters, "(?i)(AdministratorAccess|PowerUser|OrganizationAdmin)"),
"AWS_AssumeRole_High_Priv",
sourcetype="gcp:audit" AND match(methodName, "(?i)(setIamPolicy|impersonateServiceAccount|signJwt)"),
"GCP_IAM_Impersonation",
sourcetype="azure:signinlogs" AND
match(_raw, "(?i)(PIM|Privileged Identity)") AND
match(riskLevelDuringSignIn, "(?i)(high|medium)"),
"Azure_PIM_Risky_Signin",
true(), null()
)
| where isnotnull(detection_type)
| table _time, user, src_ip, detection_type, sourcetype, _raw
| sort - _timeCross-cloud detection for temporary elevated access across Azure (PIM role activation, risky PIM sign-in), AWS (AssumeRole for high-privilege roles), and GCP (IAM policy changes, service account impersonation). Each cloud provider has distinct audit log formats and event names.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized PIM activations by IT staff during maintenance
- Automated AWS cross-account role assumptions in documented CI/CD pipelines
- GCP service account impersonation for authorized workload operations
Other platforms for T1548.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check Azure PIM Role Activations (Hunting Query)
Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.
- Test 2AWS AssumeRole via CLI
Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.
- Test 3GCP Service Account Impersonation Test
Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.
References (4)
- https://attack.mitre.org/techniques/T1548/005/
- https://cloud.google.com/blog/topics/threat-intelligence/exploring-critical-risk-google-workspace-domain-wide-delegation
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/
Unlock Pro Content
Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.