DET0393 Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)
| Item |
Value |
| ID |
DET0393 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1548.005 (Temporary Elevated Cloud Access)
Analytics
IaaS
AN1105
Multiple AWS CloudTrail events indicating temporary privilege escalation via PassRole and AssumeRole targeting newly created services or non-interactive infrastructure.
Log Sources
Mutable Elements
| Field |
Description |
| targetRoleName |
Define which roles are allowed to be assumed or passed; restrict highly privileged roles. |
| TimeWindow |
Time range between PassRole and AssumeRole events to link the privilege chain. |
| invokingService |
Restrict which services are authorized to invoke role passing (e.g., Lambda, EC2). |
Identity Provider
AN1106
Token creation or access delegation where a user impersonates a higher-privileged service account or performs domain-wide delegation actions, such as GCP’s serviceAccountTokenCreator or Workspace impersonation.
Log Sources
Mutable Elements
| Field |
Description |
| userEmailFilter |
Tune based on legitimate service accounts allowed to impersonate user accounts. |
| delegatedScope |
Limit delegated access to specific scopes relevant to business functions. |
Office Suite
AN1107
Detection of ApplicationImpersonation role assignment or delegated mailbox access to service principals or rarely used users, especially outside of normal hours or geographic norms.
Log Sources
Mutable Elements
| Field |
Description |
| TargetMailbox |
Mailbox of interest where impersonation or access delegation occurs. |
| UserAgent |
Tune based on expected application or script-based mailbox access. |
| GeoLocation |
Restrict based on corporate geography or travel expectations. |