Azure Add App Role Assignment To Service Principal
Grants an application role to a service principal, allowing it to act with that role's permissions within the application.
Privilege Escalation
Privilege Escalation
Section titled “Privilege Escalation”The adversary is trying to gain higher-level permissions.
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
In cloud environments, privilege escalation frequently involves exploiting overly permissive IAM policies, assuming roles with broader permissions, or modifying permission boundaries. Adversaries may attach administrator policies to compromised identities, exploit trust relationships between accounts, or leverage service-linked roles to gain elevated access.
View Privilege Escalation on MITRE ATT&CK →Events Related to Privilege Escalation
Section titled “Events Related to Privilege Escalation”Azure Add Application
Creates and registers a new application in Microsoft Entra ID, establishing an identity that can authenticate and request access tokens.
Azure Add Eligible Member To Role In Pim Completed
Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.
Azure Add Member To Role
Directly assigns a user or service principal to an Entra ID directory role, granting that role's permissions.
Azure Add Owner To Application
Adds an owner to an Entra ID application registration, granting them management rights over the application.
Azure Add Owner To Group
Adds an owner to a group, granting the ability to modify group membership for lateral movement.
Azure Add Role Definition
Creates a new custom Azure RBAC role definition with specified allowed and denied actions.
Azure Add Service Principal
Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.
GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
AWS AddUserToGroup
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
AWS AssociateIamInstanceProfile
Associates an IAM instance profile with an EC2 instance, granting the instance permissions defined by the profile's IAM role.
AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
AWS AttachGroupPolicy
Attaches a managed IAM policy to a group, granting all group members the permissions defined in that policy.
AWS AttachRolePolicy
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
AWS AttachUserPolicy
Attaches a managed IAM policy directly to an IAM user, granting them the permissions defined in that policy.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP compute.instances.setServiceAccount
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
Azure Consent To Application
Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.
AWS CreateAccessEntry
Creates an access entry for an EKS cluster, granting an IAM principal Kubernetes API access via EKS access management.
AWS CreateDevEndpoint
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
AWS CreateLoginProfile
Creates a password for an IAM user, enabling them to sign into the AWS Management Console.
AWS CreateOpenIDConnectProvider
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
AWS CreatePolicy
Creates a new managed IAM policy that can be attached to users, groups, or roles to define permissions.
AWS CreatePolicyVersion
Creates a new version of an IAM managed policy, which can optionally be set as the default active version.
AWS CreateRole
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
AWS CreateSAMLProvider
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
AWS CreateServiceLinkedRole
Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetSessionToken
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
Azure Microsoft.Authorization/elevateAccess/action
Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.
Azure Microsoft.Authorization/roleAssignments/write
Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.
Azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Azure Microsoft.Directory/groups/members/update
Adds or removes members from an Entra ID security group or Microsoft 365 group.
Azure Microsoft.Directory/servicePrincipals/credentials/update
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS PutGroupPolicy
Creates or updates an inline policy embedded directly in an IAM group.
AWS PutKeyPolicy
Modifies a KMS key policy to grant cross-account access or expand key usage permissions.
AWS PutRolePolicy
Creates or updates an inline policy embedded directly in an IAM role.
AWS PutUserPolicy
Creates or updates an inline policy embedded directly in an IAM user.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
AWS SetDefaultPolicyVersion
Sets the default version of an IAM managed policy, changing which version of the policy is active for all attached entities.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
Azure Update Role Definition
Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.
AWS UpdateDevEndpoint
Updates a Glue development endpoint, potentially injecting SSH public keys for unauthorized access.