AWS GuardDuty Detector Deletion
Detection of AWS GuardDuty detector deletion via the DeleteDetector API, potentially indicating defense evasion by an attacker disabling threat monitoring and removing findings.
The AWS GuardDuty Detector Deletion rule identifies successful DeleteDetector API calls, which could signal an attacker attempting to impair defenses and evade detection within an AWS environment. GuardDuty is a continuous threat detection service that monitors CloudTrail, DNS logs, and VPC Flow Logs to identify malicious activity. Deleting the detector stops all monitoring and permanently removes historical findings for the affected AWS account, thus creating a blind spot for security teams. This activity is often indicative of a post-compromise scenario where the attacker seeks to remove traces of their presence and hinder incident response efforts. This rule is relevant for organizations that rely on GuardDuty for threat detection and incident response in their AWS environments. The original rule was created on 2020/05/28 and updated on 2026/04/10.
Attack Chain
- Initial access is gained to an AWS account through compromised credentials or a vulnerability in an exposed service.
- The attacker escalates privileges within the AWS environment to gain sufficient permissions to manage GuardDuty.
- The attacker uses the AWS CLI or API to execute the
DeleteDetectorAPI call, targeting the GuardDuty detector in a specific region. - The
DeleteDetectorAPI call succeeds, disabling GuardDuty monitoring and deleting existing findings. - The attacker performs malicious activities within the AWS environment, such as lateral movement, data exfiltration, or resource tampering, without detection by GuardDuty.
- The attacker may attempt to delete or modify CloudTrail logs to further obscure their activity and hinder forensic analysis.
- The attacker completes their objectives, such as deploying ransomware or stealing sensitive data.
- The attacker attempts to remove or obfuscate any remaining logs, making it difficult to trace back to the initial intrusion.
Impact
Successful deletion of a GuardDuty detector can severely compromise an organization's security posture in AWS. It allows attackers to operate undetected, leading to potential data breaches, financial loss, and reputational damage. The loss of GuardDuty's continuous monitoring can extend the dwell time of attackers within the environment, increasing the potential for significant damage. Organizations across all sectors that rely on AWS are at risk. The impact can range from data exfiltration and resource hijacking to full-scale ransomware deployment, depending on the attacker's objectives.
Recommendation
- Deploy the Sigma rule
AWS GuardDuty Detector Deletionto your SIEM to detect unauthorized deletions of GuardDuty detectors. - Review
aws.cloudtrail.user_identity.arnfrom CloudTrail logs to identify the actor initiating theDeleteDetectorAPI call. - Implement AWS Config rules or Security Hub controls to alert on changes to GuardDuty detectors or configuration states as described in the overview.
- Restrict
guardduty:DeleteDetectorpermissions to a limited administrative role using IAM policies. - Enable AWS CloudTrail logging and monitor for
DeleteDetectorevents, ensuring logs are stored securely and retained for a sufficient period. - Investigate any
DeleteDetectorAPI calls that do not correspond to legitimate account decommissioning, region cleanup, or migration activity as described in the "False positive analysis" section.
Detection coverage 2
AWS GuardDuty Detector Deletion
highDetects the deletion of an AWS GuardDuty detector, which could indicate an attacker attempting to disable threat monitoring and evade detection.
AWS GuardDuty Configuration Changes Prior to Deletion
mediumDetects suspicious GuardDuty configuration changes (StopMonitoringMembers, DisassociateMembers, or DeleteMembers) that may precede a detector deletion.
Detection queries are available on the platform. Get full rules →