Detect Temporary Elevated Cloud Access in Sumo Logic CSE
Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.005 Temporary Elevated Cloud Access
- Canonical reference
- https://attack.mitre.org/techniques/T1548/005/
Sumo Detection Query
(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/audit OR _sourceCategory=azure/signinlogs OR _sourceCategory=gcp/audit)
| json auto
| where (
(_sourceCategory matches "*aws/cloudtrail*"
and eventName = "AssumeRole"
and (
requestParameters matches "*AdministratorAccess*"
or requestParameters matches "*PowerUserAccess*"
or requestParameters matches "*OrganizationAccountAccessRole*"
or requestParameters matches "*FullAccess*"
)
)
or (_sourceCategory matches "*azure/audit*"
and (
operationName matches "*Activate role*"
or operationName matches "*Add member to role in PIM*"
or operationName matches "*Add eligible member to role*"
)
and (
targetResource matches "*Owner*"
or targetResource matches "*Global Admin*"
or targetResource matches "*Privileged Role Admin*"
or targetResource matches "*Security Admin*"
or targetResource matches "*Contributor*"
)
)
or (_sourceCategory matches "*gcp/audit*"
and (
methodName matches "*setIamPolicy*"
or methodName matches "*impersonateServiceAccount*"
or methodName matches "*signJwt*"
or methodName matches "*generateIdToken*"
)
)
or (_sourceCategory matches "*azure/signinlogs*"
and (
appDisplayName matches "*PIM*"
or appDisplayName matches "*Privileged Identity*"
)
and (riskLevelDuringSignIn = "high" or riskLevelDuringSignIn = "medium")
)
)
| eval detection_type = if(_sourceCategory matches "*aws/cloudtrail*" and eventName = "AssumeRole",
"AWS_AssumeRole_High_Priv",
if(_sourceCategory matches "*azure/audit*"
and (operationName matches "*Activate role*" or operationName matches "*Add member to role in PIM*" or operationName matches "*Add eligible member to role*"),
"Azure_PIM_High_Priv_Activation",
if(_sourceCategory matches "*gcp/audit*",
"GCP_IAM_Impersonation",
if(_sourceCategory matches "*azure/signinlogs*",
"Azure_PIM_Risky_Signin",
"Unknown"
)
)
)
)
| where detection_type != "Unknown"
| fields _messageTime, user, src_ip, detection_type, _sourceCategory
| sort by _messageTime descSumo Logic query detecting temporary elevated cloud access abuse across multi-cloud environments. Parses AWS CloudTrail AssumeRole events targeting high-privilege IAM policies, Azure PIM role activations for privileged roles on successful operations, GCP IAM service account impersonation and JWT signing calls, and risky Azure PIM authentication events. Classifies events by detection type for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud administrators using just-in-time access workflows with valid change management approvals — cross-reference Sumo Logic alerts against ITSM ticket numbers recorded in the audit log justification fields
- DevOps automation using AWS cross-account AssumeRole for approved multi-account deployments or centralized logging configurations — verify caller identity matches known automation IAM roles (e.g., deploy-role, pipeline-role)
- Azure PIM role activations triggered during known on-call rotation periods where engineers receive elevated access for scheduled duties — suppress alerts that match on-call schedule data from PagerDuty or OpsGenie integrations
Other platforms for T1548.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check Azure PIM Role Activations (Hunting Query)
Expected signal: Sysmon EventCode 1: powershell.exe with Get-AzureADMSPrivilegedRoleAssignment command. Azure AD sign-in log for Graph API access.
- Test 2AWS AssumeRole via CLI
Expected signal: AWS CloudTrail: AssumeRole event with roleArn, requestedDuration, and caller identity. The 15-minute session duration is characteristic of testing.
- Test 3GCP Service Account Impersonation Test
Expected signal: GCP Cloud Audit Log: GenerateIdToken or impersonateServiceAccount event from the calling identity.
References (4)
- https://attack.mitre.org/techniques/T1548/005/
- https://cloud.google.com/blog/topics/threat-intelligence/exploring-critical-risk-google-workspace-domain-wide-delegation
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
- https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/
Unlock Pro Content
Get the full detection package for T1548.005 including response playbook, investigation guide, and atomic red team tests.