Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0393: Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)

DET0393 is a MITRE detection strategy for abuse of temporary elevated cloud access related to ATT&CK T1548.005. The business issue is not simply that a use...

EnterpriseDET0393Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0393 is a MITRE detection strategy for abuse of temporary elevated cloud access related to ATT&CK T1548.005. The business issue is not simply that a user gains more privilege; it is that legitimate just-in-time access, role passing, impersonation, or short-term privilege workflows can make unauthorized escalation look like normal administration unless approvals, identity context, and cloud activity are correlated.

Executive priority

Prioritize this as an identity and cloud governance risk. Temporary privilege is often adopted to reduce standing access, but it still requires evidence that requests, approvals, activations, and privileged actions are monitored end to end. Leaders should ask whether cloud and identity teams can prove who requested elevated access, why it was granted, what was done during the elevated window, and whether the access expired as expected.

Technical view

The supplied ATT&CK object has no official detection text or platforms of its own, but it detects T1548.005, which is associated with privilege escalation across IaaS, Office Suite, and Identity Provider environments. SOC and detection teams should validate monitoring around just-in-time role activation, service account impersonation, role passing to services/resources, and short-term privilege changes. Incident responders should be able to reconstruct the full chain from identity event to cloud control-plane action during the elevated session.

Likely telemetry

  • Identity provider audit logs for privilege activation, role assignment, impersonation, and administrative consent events
  • Cloud control-plane audit logs for role use, policy changes, resource access, and privileged API calls
  • Just-in-time or privileged access management records showing request, approval, activation, duration, and expiration
  • Service account and workload identity activity logs, especially where roles are passed to resources or services
  • Administrative session metadata such as actor, source, target account/resource, timestamp, and outcome

Detection direction

  • Correlate temporary elevation events with the privileged actions that follow; alerting only on activation may miss abuse that occurs after a legitimate-looking grant.
  • Baseline expected requesters, approvers, roles, durations, and target resources to identify unusual privilege windows or out-of-pattern role use.
  • Validate that service account impersonation and role passing are logged with enough identity context to distinguish the requester from the effective privileged principal.
  • Tune for false positives from approved administrative maintenance, emergency access, and automated workflows, but require documented approval and expected scope.
  • Look for gaps where identity logs and cloud activity logs are retained in separate systems and cannot be joined during investigations.

Mitigation priorities

  • Define least-privilege roles for temporary access and limit which users or service accounts can request, approve, impersonate, or pass privileged roles.
  • Require approval, reason codes, time limits, and expiration for elevated access workflows where supported by the environment.
  • Centralize and retain identity, privileged access, and cloud control-plane logs so SOC and IR teams can reconstruct elevated sessions.
  • Regularly review temporary access policies, role-passing permissions, and service account impersonation rights as part of cloud security and compliance readiness.
  • Test detections with approved administrative scenarios to confirm visibility without relying on undocumented tribal knowledge.
Analyst notes and limits

This take is based on the DET0393 detection strategy metadata and its relationship to T1548.005 Temporary Elevated Cloud Access. The value for defenders is in validating whether temporary privilege workflows are observable and governable, not in assuming any specific vendor implementation.

The ATT&CK detection strategy provides no official description, no official detection guidance, and no platform list of its own. Platform and tactic context comes from the related technique only. Local cloud, identity provider, and privileged access architecture must determine the exact telemetry and control implementation.

Official MITRE ATT&CK definition

Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1548.005 Temporary Elevated Cloud Access Sub-technique This object detects Temporary Elevated Cloud Access.
Relationship explorer

All related ATT&CK context

detects · Technique T1548.005: Temporary Elevated Cloud Access Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
18d4481535a839ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 18d4481535a8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0393
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use