GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
T1548: Abuse Elevation Control Mechanism
T1548: Abuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine.
View on MITRE ATT&CK →AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
Azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.