Last reviewed:
T1548 is abuse of legitimate elevation mechanisms: sudo misconfigurations, setuid binaries, UAC bypasses and their cloud-console equivalents. The attacker does not break the privilege boundary; they ride a sanctioned crossing of it. DCV maps GCP Chronicle's ABUSE_ELEVATION_CONTROL rule family together with Azure access-enforcement compliance controls, a posture-plus-telemetry pairing for a technique that lives in the seams of identity systems. Sudo rules and role-assumption policies deserve the same review cadence as firewall rules; they decay just as quickly.
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Platforms: Linux, macOS, Windows, IaaS, Office Suite, Identity Provider.
DCV maps 2 detections across 2 cloud providers to T1548. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Regulatory Compliance | Azure | 1 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma ships 2 production-ready Sigma rules that detect T1548 across 5 platforms. Every rule below is validated against its source SIEM dialect before publication.
id: be5a60f1-4785-4201-842f-78c92b8156d1
title: Azure Logic Apps Privilege Escalation via Improper Access Control
status: test
description: Detects privilege escalation attempts in Azure Logic Apps through improper access control mechanisms. Adversaries
with authorized access abuse Logic Apps' access control to elevate privileges over the network. This detection monitors
for operations that modify Logic App access policies or role assignments, which are common vectors for privilege escalation
in Logic Apps environments.
author: CloudSigma
date: 2026/05/15
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-42823
- https://attack.mitre.org/techniques/T1548/
tags:
- attack.privilege_escalation
- attack.stealth
- attack.t1548
logsource:
product: azure
service: activitylogs
detection:
condition: selection_operation and selection_target_type
selection_operation:
operationName:
- Microsoft.Logic/workflows/accessKeys/write
- Microsoft.Logic/workflows/accessKeys/action
- Microsoft.Logic/workflows/providers/roleAssignments/write
- Microsoft.Logic/integrationAccounts/accessKeys/write
selection_target_type:
properties.targetResources.type|startswith: Microsoft.Logic/
falsepositives:
- Legitimate Logic App access key rotation during maintenance windows
- Infrastructure-as-Code deployments provisioning Logic Apps with role assignments
- Authorized administrators configuring Logic App access policies for legitimate business workflows
- Service principal operations during Logic App migration or disaster recovery procedures
level: high
T1548 is abuse of legitimate elevation mechanisms: sudo misconfigurations, setuid binaries, UAC bypasses and their cloud-console equivalents. The attacker does not break the privilege boundary; they ride a sanctioned crossing of it. DCV maps GCP Chronicle's ABUSE_ELEVATION_CONTROL rule family together with Azure access-enforcement compliance controls, a posture-plus-telemetry pairing for a technique that lives in the seams of identity systems. Sudo rules and role-assumption policies deserve the same review cadence as firewall rules; they decay just as quickly.
DCV maps 2 cloud-native detections to T1548 across 2 cloud providers, drawn from Azure Regulatory Compliance and GCP Chronicle.
T1548 is part of MITRE ATT&CK TA0004 Privilege Escalation: How adversaries gain higher privileges than they were given.
CloudSigma ships 6 validated Sigma rules for T1548 across AWS CloudTrail, Azure Activity, GCP Audit Logs, Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.