{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/guardduty/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GuardDuty"],"_cs_severities":["high"],"_cs_tags":["defense-impairment","aws","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAttackers with sufficient AWS privileges may attempt to disable or delete AWS GuardDuty detectors to evade detection. GuardDuty is a threat detection service that monitors AWS accounts for malicious activity. Disabling it allows attackers to operate with less chance of being detected. This activity may occur post-compromise as part of a broader defense evasion strategy, or as a precursor to malicious activities. The deletion or disabling of GuardDuty detectors should be considered a critical event, warranting immediate investigation to verify legitimacy. The references suggest that this behavior has been observed in the wild and is documented across multiple security vendors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account through compromised credentials or other means (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing GuardDuty detectors to identify the target for disabling or deletion (T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS API using stolen credentials or an assumed role with sufficient permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eDeleteDetector\u003c/code\u003e API to remove the GuardDuty detector entirely, erasing all existing findings (T1685.002).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker calls the \u003ccode\u003eUpdateDetector\u003c/code\u003e API to disable the detector by setting the \u003ccode\u003eenable\u003c/code\u003e parameter to \u003ccode\u003efalse\u003c/code\u003e (T1685.002).\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteDetector\u003c/code\u003e or \u003ccode\u003eUpdateDetector\u003c/code\u003e event with a \u003ccode\u003eSuccess\u003c/code\u003e or \u003ccode\u003enull\u003c/code\u003e error code.\u003c/li\u003e\n\u003cli\u003eWith GuardDuty disabled, the attacker performs malicious actions such as lateral movement, data exfiltration, or resource compromise without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove CloudTrail logs to further impair defenses (T1562.008).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete loss of threat detection capabilities within the AWS environment. With GuardDuty disabled, malicious activities can go unnoticed, potentially leading to data breaches, unauthorized access, or resource compromise. The impact is significant because GuardDuty is a primary security control for many organizations using AWS. Depending on the attacker\u0026rsquo;s objectives, this could result in financial loss, reputational damage, or compliance violations. The references suggest that this is a known technique used by attackers to evade detection in AWS environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS GuardDuty Detector Deleted Or Updated\u0026rdquo; to your SIEM using AWS CloudTrail logs to detect attempts to disable or delete GuardDuty (logsource: aws, service: cloudtrail).\u003c/li\u003e\n\u003cli\u003eInvestigate all instances of \u003ccode\u003eDeleteDetector\u003c/code\u003e and \u003ccode\u003eUpdateDetector\u003c/code\u003e events in CloudTrail, especially if initiated from unusual locations or IAM roles.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting only necessary permissions to IAM roles (T1078).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for anomalies that could indicate malicious activity following a GuardDuty disablement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:38:00Z","date_published":"2024-01-03T17:38:00Z","id":"/briefs/2024-01-03-aws-guardduty-disable/","summary":"Attackers may delete or disable AWS GuardDuty detectors to impair defenses and evade detection of malicious activities within the AWS environment.","title":"AWS GuardDuty Detector Deletion or Disablement","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-guardduty-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — GuardDuty","version":"https://jsonfeed.org/version/1.1"}