{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-guardduty/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon GuardDuty"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","defense-evasion","amazon-guardduty"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAdversaries targeting AWS environments may attempt to disrupt security monitoring capabilities, specifically Amazon GuardDuty, to operate undetected within compromised accounts. In multi-account GuardDuty deployments, a delegated administrator account aggregates security findings from member accounts, providing critical centralized visibility. This threat involves an attacker, having gained initial access to an AWS account (either a member or administrator account), executing specific GuardDuty API calls to disassociate member accounts, delete member relationships, stop monitoring members, or delete pending invitations. These actions, which include \u003ccode\u003eDisassociateFromAdministratorAccount\u003c/code\u003e, \u003ccode\u003eDeleteMembers\u003c/code\u003e, \u003ccode\u003eStopMonitoringMembers\u003c/code\u003e, \u003ccode\u003eDeleteInvitations\u003c/code\u003e, and \u003ccode\u003eDisassociateMembers\u003c/code\u003e, are rare in legitimate operations and serve as a strong indicator of defense evasion. Successful manipulation allows attackers to bypass detection, potentially preceding more significant malicious activities like complete GuardDuty detector deletion or undetected resource compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, typically through compromised credentials or exploitation of a vulnerable resource.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that AWS GuardDuty is enabled across an AWS organization, providing centralized security monitoring.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the attacker attempts to break GuardDuty's centralized visibility.\u003c/li\u003e\n\u003cli\u003eIf the attacker controls a member account, they may call \u003ccode\u003eDisassociateFromAdministratorAccount\u003c/code\u003e to sever its connection to the GuardDuty administrator.\u003c/li\u003e\n\u003cli\u003eIf the attacker controls the delegated administrator account, they might use \u003ccode\u003eDeleteMembers\u003c/code\u003e or \u003ccode\u003eStopMonitoringMembers\u003c/code\u003e to selectively remove or cease monitoring specific member accounts.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could use \u003ccode\u003eDeleteInvitations\u003c/code\u003e to prevent future GuardDuty association for pending accounts.\u003c/li\u003e\n\u003cli\u003eUpon successful execution of these API calls, the affected member accounts lose their connection to the central GuardDuty administrator, creating a blind spot.\u003c/li\u003e\n\u003cli\u003eThe attacker can then operate within the disassociated accounts without generating alerts visible to the central security team, potentially leading to further exploitation or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this attack is a significant loss of centralized security visibility within an AWS organization. When GuardDuty member accounts are disassociated or cease to be monitored, any malicious activity occurring within those accounts will not be detected or alerted to the delegated administrator. This creates blind spots that attackers can exploit for extended periods, leading to undetected resource compromise, data exfiltration, or the deployment of persistent backdoors. Organizations may only discover the compromise much later, after significant damage has occurred, making incident response and recovery more complex and costly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect successful GuardDuty member account manipulation.\u003c/li\u003e\n\u003cli\u003eRestrict permissions for GuardDuty API calls such as \u003ccode\u003eguardduty:DisassociateFromAdministratorAccount\u003c/code\u003e, \u003ccode\u003eguardduty:DeleteMembers\u003c/code\u003e, \u003ccode\u003eguardduty:StopMonitoringMembers\u003c/code\u003e, \u003ccode\u003eguardduty:DeleteInvitations\u003c/code\u003e, and \u003ccode\u003eguardduty:DisassociateMembers\u003c/code\u003e to only authorized administrators following strict change management processes.\u003c/li\u003e\n\u003cli\u003eImplement Service Control Policies (SCPs) within AWS Organizations to prevent member accounts from disassociating from GuardDuty administrators, providing an additional layer of defense.\u003c/li\u003e\n\u003cli\u003eEnable and configure Security Hub controls to detect and alert on changes to GuardDuty organization configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e from events matching the Sigma rule to identify who performed the action and their access patterns, correlating with change tickets or migration documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T13:59:10Z","date_published":"2026-07-15T13:59:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-guardduty-manipulation/","summary":"Adversaries manipulate Amazon GuardDuty member accounts within an AWS organization by using API calls such as `DisassociateFromAdministratorAccount`, `DeleteMembers`, `StopMonitoringMembers`, or `DeleteInvitations` to break centralized security visibility, enabling them to operate undetected in compromised member accounts.","title":"AWS GuardDuty Member Account Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-guardduty-manipulation/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon GuardDuty","version":"https://jsonfeed.org/version/1.1"}