Multiple AWS CloudTrail events indicating temporary privilege escalation via PassRole and AssumeRole targeting newly created services or non-interactive infrastructure.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | AWS:CloudTrail | PassRole |
| Field | Description |
|---|---|
| targetRoleName | Define which roles are allowed to be assumed or passed; restrict highly privileged roles. |
| TimeWindow | Time range between PassRole and AssumeRole events to link the privilege chain. |
| invokingService | Restrict which services are authorized to invoke role passing (e.g., Lambda, EC2). |
Token creation or access delegation where a user impersonates a higher-privileged service account or performs domain-wide delegation actions, such as GCP's serviceAccountTokenCreator or Workspace impersonation.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | gcp:iam | PrincipalEmail with serviceAccountTokenCreator impersonating new identity |
| User Account Authentication (DC0002) | gcp:workspaceaudit | Token Generation via Domain Delegation |
| Field | Description |
|---|---|
| userEmailFilter | Tune based on legitimate service accounts allowed to impersonate user accounts. |
| delegatedScope | Limit delegated access to specific scopes relevant to business functions. |
Detection of ApplicationImpersonation role assignment or delegated mailbox access to service principals or rarely used users, especially outside of normal hours or geographic norms.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Add-MailboxPermission or Set-ManagementRoleAssignment |
| User Account Authentication (DC0002) | m365:signinlogs | Unusual sign-in from service principal to user mailbox |
| Field | Description |
|---|---|
| TargetMailbox | Mailbox of interest where impersonation or access delegation occurs. |
| UserAgent | Tune based on expected application or script-based mailbox access. |
| GeoLocation | Restrict based on corporate geography or travel expectations. |