title: Temporary Elevated Cloud Access (T1548.005)
id: df00tech-t1548-005
status: experimental
description: "Adversaries abuse cloud permission mechanisms to gain temporarily elevated access to cloud resources. This includes AWS AssumeRole, GCP impersonation, Azure PIM just-in-time access, and similar constructs. Attackers may abuse these features to escalate from a low-privilege identity to a higher-privilege role, pass roles to resources to gain persistent access, or exploit Google Workspace domain-wide delegation. The technique involves legitimate cloud APIs but used maliciously for privilege escalation beyond intended authorization."
references:
  - https://attack.mitre.org/techniques/T1548/005/
  - https://df00tech.com/detections/T1548.005
author: df00tech
date: 2026/04/20
tags:
  - attack.t1548.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized IT administrators activating PIM roles for planned maintenance activities
  - Security team members elevating privileges for incident response during known incidents
  - DevOps engineers assuming cross-account roles for authorized deployment activities
  - Automated pipelines that assume roles for CI/CD operations in cloud infrastructure
level: high