T1548.005 Temporary Elevated Cloud Access

Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.

Just-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Google Cloud Just in Time Access 2023)(Citation: Azure Just in Time Access 2023)

Account impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the iam.serviceAccountTokenCreator role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account.(Citation: Google Cloud Service Account Authentication Roles) In Exchange Online, the ApplicationImpersonation role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange)

Many cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access – for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the PassRole permission can allow a service they create to assume a given role, while in GCP, users with the iam.serviceAccountUser role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)

While users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)

Note: this technique is distinct from Additional Cloud Roles, which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control Additional Cloud Roles that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-05 Access Restrictions for Change Protects T1548.005 Temporary Elevated Cloud Access
AC-03 Access Enforcement Protects T1548.005 Temporary Elevated Cloud Access
AC-02 Account Management Protects T1548.005 Temporary Elevated Cloud Access
AC-06 Least Privilege Protects T1548.005 Temporary Elevated Cloud Access

M365 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PUR-AS-E5 Audit Solutions Technique Scores T1548.005 Temporary Elevated Cloud Access
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. License Requirements: Microsoft 365 E3 and E5
References
ME-RBAC-E3 Role Based Access Control Technique Scores T1548.005 Temporary Elevated Cloud Access
Comments
The RBAC control can be used to implement the principle of least privilege to limit the ability of cloud accounts to assume, create, or impersonate only required privileges. This scores Minimal for its ability to protect against the actions temporary elevated accounts can take. License Requirements: ME-ID Built-in Roles (Free)
References
ME-CAE-E3 Conditional Access Evaluation Technique Scores T1548.005 Temporary Elevated Cloud Access
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.
References