{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/guardduty/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GuardDuty"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","guardduty","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe AWS GuardDuty Detector Deletion rule identifies successful \u003ccode\u003eDeleteDetector\u003c/code\u003e API calls, which could signal an attacker attempting to impair defenses and evade detection within an AWS environment. GuardDuty is a continuous threat detection service that monitors CloudTrail, DNS logs, and VPC Flow Logs to identify malicious activity. Deleting the detector stops all monitoring and permanently removes historical findings for the affected AWS account, thus creating a blind spot for security teams. This activity is often indicative of a post-compromise scenario where the attacker seeks to remove traces of their presence and hinder incident response efforts. This rule is relevant for organizations that rely on GuardDuty for threat detection and incident response in their AWS environments. The original rule was created on 2020/05/28 and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to an AWS account through compromised credentials or a vulnerability in an exposed service.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the AWS environment to gain sufficient permissions to manage GuardDuty.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to execute the \u003ccode\u003eDeleteDetector\u003c/code\u003e API call, targeting the GuardDuty detector in a specific region.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDeleteDetector\u003c/code\u003e API call succeeds, disabling GuardDuty monitoring and deleting existing findings.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities within the AWS environment, such as lateral movement, data exfiltration, or resource tampering, without detection by GuardDuty.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to delete or modify CloudTrail logs to further obscure their activity and hinder forensic analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker completes their objectives, such as deploying ransomware or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove or obfuscate any remaining logs, making it difficult to trace back to the initial intrusion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a GuardDuty detector can severely compromise an organization's security posture in AWS. It allows attackers to operate undetected, leading to potential data breaches, financial loss, and reputational damage. The loss of GuardDuty's continuous monitoring can extend the dwell time of attackers within the environment, increasing the potential for significant damage. Organizations across all sectors that rely on AWS are at risk. The impact can range from data exfiltration and resource hijacking to full-scale ransomware deployment, depending on the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS GuardDuty Detector Deletion\u003c/code\u003e to your SIEM to detect unauthorized deletions of GuardDuty detectors.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e from CloudTrail logs to identify the actor initiating the \u003ccode\u003eDeleteDetector\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eImplement AWS Config rules or Security Hub controls to alert on changes to GuardDuty detectors or configuration states as described in the overview.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eguardduty:DeleteDetector\u003c/code\u003e permissions to a limited administrative role using IAM policies.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and monitor for \u003ccode\u003eDeleteDetector\u003c/code\u003e events, ensuring logs are stored securely and retained for a sufficient period.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eDeleteDetector\u003c/code\u003e API calls that do not correspond to legitimate account decommissioning, region cleanup, or migration activity as described in the \u0026quot;False positive analysis\u0026quot; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-guardduty-deletion/","summary":"Detection of AWS GuardDuty detector deletion via the DeleteDetector API, potentially indicating defense evasion by an attacker disabling threat monitoring and removing findings.","title":"AWS GuardDuty Detector Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-guardduty-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GuardDuty"],"_cs_severities":["medium"],"_cs_tags":["aws","guardduty","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. Attackers who have compromised a member account, or the administrator account, may attempt to break this centralized visibility by disassociating member accounts, deleting member relationships, stopping monitoring of members, or deleting pending invitations. These actions can precede or substitute for deleting GuardDuty detectors entirely, enabling attackers to operate undetected in member accounts while the administrator account loses visibility. The rule identifies successful API calls that manipulate GuardDuty member relationships within AWS, which are rare and warrant investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates GuardDuty member accounts and the delegated administrator account.\u003c/li\u003e\n\u003cli\u003eIf the attacker has compromised a member account, they attempt to call the \u003ccode\u003eDisassociateFromAdministratorAccount\u003c/code\u003e or \u003ccode\u003eDisassociateMembers\u003c/code\u003e API to break the connection to the administrator account.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the attacker has compromised the administrator account, they call \u003ccode\u003eDeleteMembers\u003c/code\u003e or \u003ccode\u003eStopMonitoringMembers\u003c/code\u003e to remove or stop monitoring member accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker may also call \u003ccode\u003eDeleteInvitations\u003c/code\u003e to prevent member accounts from associating with the GuardDuty administrator.\u003c/li\u003e\n\u003cli\u003eAfter successfully manipulating the member account relationships, the attacker performs malicious actions within the affected AWS accounts, such as deploying malware, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker avoids detection by the central GuardDuty administrator account because the compromised member accounts are no longer actively monitored.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to delete CloudTrail logs or other security configurations to further evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a significant loss of visibility into the security posture of AWS member accounts. If GuardDuty monitoring is disrupted, attackers can operate undetected, potentially leading to data breaches, resource hijacking, or other malicious activities. The number of affected accounts depends on the scope of the attack and the attacker's objectives. This is especially critical for organizations relying on centralized security monitoring and incident response across multiple AWS accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS GuardDuty Member Account Manipulation\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions for \u003ccode\u003eguardduty:DisassociateFromAdministratorAccount\u003c/code\u003e, \u003ccode\u003eguardduty:DeleteMembers\u003c/code\u003e, \u003ccode\u003eguardduty:StopMonitoringMembers\u003c/code\u003e, and \u003ccode\u003eguardduty:DeleteInvitations\u003c/code\u003e to only authorized personnel.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for any unauthorized API calls related to GuardDuty member account manipulation.\u003c/li\u003e\n\u003cli\u003eImplement Service Control Policies (SCPs) to prevent member accounts from disassociating from GuardDuty administrators, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eEnable AWS Security Hub controls to detect changes to GuardDuty organization configurations, as mentioned in the hardening section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;AWS GuardDuty Member Account Manipulation\u0026quot; by following the triage and analysis steps outlined in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-guardduty-member-manipulation/","summary":"Adversaries may attempt to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization to break centralized visibility, allowing them to operate undetected in member accounts.","title":"AWS GuardDuty Member Account Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-guardduty-member-manipulation/"}],"language":"en","title":"CraftedSignal Threat Feed - Guardduty","version":"https://jsonfeed.org/version/1.1"}