Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0978: Analytic 0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

EnterpriseAN0978AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0978 focuses on detecting unexpected privilege elevation in an identity provider, especially where SAML assertions, role assignments, or identity mappings are manipulated to grant higher access. For leaders, the practical issue is identity control integrity: if privilege changes in the identity layer are not visible and reviewable, an incident can quickly become an enterprise-wide access problem.

Executive priority

Prioritize this as an identity governance and incident readiness concern. The key business question is whether privileged access changes through the identity provider can be detected, explained, and evidenced quickly during an audit or investigation. This analytic is especially relevant to control validation around least privilege, access escalation review, and SOC visibility into identity-provider activity.

Technical view

SOC and detection teams should validate monitoring for privilege elevation events in the Identity Provider platform. Focus on unexpected changes involving SAML assertion behavior, role injection, and identity mapping changes that result in access escalation. Because no official detection logic or relationship context is supplied, teams should map this analytic to local identity-provider logs, administrative change events, SAML/SSO configuration changes, and access-review workflows before writing high-confidence alerts.

Likely telemetry

  • Identity provider administrative audit logs
  • Role assignment and privilege change events
  • SAML assertion and federation configuration change records
  • Identity mapping or group-to-role mapping change events
  • Authentication and authorization logs showing newly elevated access

Detection direction

  • Validate that identity-provider audit logging captures who changed roles, mappings, federation settings, and privilege-related configurations.
  • Alert on privilege elevation operations that lack a corresponding approved change or access request.
  • Correlate identity mapping changes with subsequent access to privileged applications or roles.
  • Tune carefully for legitimate administrative activity, emergency access workflows, and planned IAM changes.
  • Review blind spots where SAML configuration, role mappings, or federation changes are made outside standard change-management processes.

Mitigation priorities

  • Enforce least privilege and strong administrative controls for identity-provider administrators.
  • Require approval and review workflows for role, mapping, and federation configuration changes.
  • Maintain auditable change records for privileged identity operations.
  • Regularly review SAML, role, and identity-mapping configurations for unintended privilege paths.
  • Ensure incident response playbooks include validation and rollback of unauthorized identity-provider privilege changes.
Analyst notes and limits

This object is a detection analytic for the enterprise ATT&CK domain with platform scope limited to Identity Provider. ATT&CK provides a concise monitoring objective but no official detection query, tactic mapping, or relationships, so local implementation depends on the organization’s identity-provider telemetry and administrative process evidence.

No official detection logic, tactics, aliases, labels, or relationship context were supplied. This take does not infer specific vendors, adversaries, active exploitation, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d00f85c0732338f8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d00f85c07323…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0978
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use