Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Abuse Elevation Control Mechanism, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-15.
Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Platforms: Linux, macOS, Windows, IaaS, Office Suite, Identity Provider.
DCV maps 2 detections across 2 cloud providers to T1548. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Regulatory Compliance | Azure | 1 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma ships 5 production-ready Sigma rules that detect T1548 across 5 platforms. Every rule below is validated against its source SIEM dialect before publication.
id: be5a60f1-4785-4201-842f-78c92b8156d1
title: Azure Logic Apps Privilege Escalation via Improper Access Control
status: test
description: Detects privilege escalation attempts in Azure Logic Apps through improper access control mechanisms. Adversaries
with authorized access abuse Logic Apps' access control to elevate privileges over the network. This detection monitors
for operations that modify Logic App access policies or role assignments, which are common vectors for privilege escalation
in Logic Apps environments.
author: CloudSigma
date: 2026/05/15
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-42823
- https://attack.mitre.org/techniques/T1548/
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548
logsource:
product: azure
service: activitylogs
detection:
condition: selection_operation and selection_target_type
selection_operation:
operationName:
- Microsoft.Logic/workflows/accessKeys/write
- Microsoft.Logic/workflows/accessKeys/action
- Microsoft.Logic/workflows/providers/roleAssignments/write
- Microsoft.Logic/integrationAccounts/accessKeys/write
selection_target_type:
properties.targetResources.type|startswith: Microsoft.Logic/
falsepositives:
- Legitimate Logic App access key rotation during maintenance windows
- Infrastructure-as-Code deployments provisioning Logic Apps with role assignments
- Authorized administrators configuring Logic App access policies for legitimate business workflows
- Service principal operations during Logic App migration or disaster recovery procedures
level: high
Detection coverage in DCV across AWS, Azure and GCP for Abuse Elevation Control Mechanism, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-15.
DCV maps 2 cloud-native detections to T1548 across 2 cloud providers, drawn from Azure Regulatory Compliance and GCP Chronicle.
T1548 is part of MITRE ATT&CK TA0004 Privilege Escalation: How adversaries gain higher privileges than they were given.
CloudSigma ships 6 validated Sigma rules for T1548 across AWS CloudTrail, Azure Activity, GCP Audit Logs, Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.