AN0979: Analytic 0979
Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.
Analyst context for executives and security teams
AN0979 is a cloud-focused detection analytic for spotting sudden privilege escalation in IaaS identity controls, such as IAM role changes, privilege boundary changes, or unusual elevation through assumed roles. For security leaders, the value is not just detecting an identity change; it is validating whether the organization can quickly distinguish approved administrative work from unexpected expansion of cloud privileges before it affects data, workloads, or incident containment.
Executive priority
Treat this as a control-validation priority for cloud security, IAM governance, SOC readiness, and audit evidence. Sudden privilege elevation can undermine least privilege, weaken segregation of duties, and complicate incident response decisions. Leaders should ask whether cloud identity changes are centrally logged, baselined against normal behavior, reviewed with business context, and escalated fast enough to support containment decisions.
Technical view
For SOC, detection engineering, and IR teams, the practical focus is behavioral monitoring of IaaS identity and access changes. Validate that telemetry captures IAM role modifications, privilege boundary assignments or changes, and assumed-role activity. Because the official analytic provides a description but no detection logic, teams should define local baselines for normal administrative behavior, expected automation, approved break-glass access, and privileged role assumption patterns before alerting on sudden deviations.
Likely telemetry
- IaaS audit logs for identity and access management events
- IAM role creation, update, attachment, detachment, and policy change records
- Privilege boundary assignment or modification events
- Assumed-role or temporary credential usage events
- User, role, service account, source IP, session, and timestamp context for privileged activity
Detection direction
- Validate that IAM and assumed-role events from supported IaaS environments are ingested with sufficient identity, session, and policy-change detail.
- Build or tune baselines for normal privileged administration, automation-driven changes, and approved emergency access to reduce false positives.
- Prioritize alerts where privilege changes are sudden, unusual for the actor, outside expected maintenance windows, or not linked to approved change records.
- Correlate role changes, privilege boundary updates, and role assumption events rather than reviewing each event in isolation.
- Document blind spots where cloud audit logging, retention, identity context, or change-management correlation is incomplete.
Mitigation priorities
- Enforce least privilege and routine review of highly privileged IaaS roles and policies.
- Use change approval and evidence retention for privileged IAM modifications.
- Restrict and monitor privilege boundary changes and role assumption paths that enable elevation.
- Maintain break-glass procedures that are logged, time-bound, and reviewable.
- Test SOC and IR workflows for triaging unexpected privilege escalation in cloud identity systems.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for IaaS environments and specifically describes sudden privilege escalation involving IAM role changes, user-assigned privilege boundaries, or elevation through assumed roles. No tactics, relationships, or official detection logic were supplied, so this take emphasizes validation, telemetry readiness, and control assurance rather than a specific rule implementation.
This summary is limited to the official STIX fields, external reference, and the absence of relationship context. It does not establish active exploitation, threat actor use, business impact, or confirmed detection coverage. Local cloud provider architecture, IAM design, logging configuration, and change-management evidence are required to operationalize the analytic.
Analytic 0979
Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9c2d295b2bd8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0979Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.