<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Guardduty - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/guardduty/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/guardduty/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS GuardDuty Detector Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-guardduty-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-guardduty-deletion/</guid><description>Detection of AWS GuardDuty detector deletion via the DeleteDetector API, potentially indicating defense evasion by an attacker disabling threat monitoring and removing findings.</description><content:encoded><![CDATA[<p>The AWS GuardDuty Detector Deletion rule identifies successful <code>DeleteDetector</code> API calls, which could signal an attacker attempting to impair defenses and evade detection within an AWS environment. GuardDuty is a continuous threat detection service that monitors CloudTrail, DNS logs, and VPC Flow Logs to identify malicious activity. Deleting the detector stops all monitoring and permanently removes historical findings for the affected AWS account, thus creating a blind spot for security teams. This activity is often indicative of a post-compromise scenario where the attacker seeks to remove traces of their presence and hinder incident response efforts. This rule is relevant for organizations that rely on GuardDuty for threat detection and incident response in their AWS environments. The original rule was created on 2020/05/28 and updated on 2026/04/10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access is gained to an AWS account through compromised credentials or a vulnerability in an exposed service.</li>
<li>The attacker escalates privileges within the AWS environment to gain sufficient permissions to manage GuardDuty.</li>
<li>The attacker uses the AWS CLI or API to execute the <code>DeleteDetector</code> API call, targeting the GuardDuty detector in a specific region.</li>
<li>The <code>DeleteDetector</code> API call succeeds, disabling GuardDuty monitoring and deleting existing findings.</li>
<li>The attacker performs malicious activities within the AWS environment, such as lateral movement, data exfiltration, or resource tampering, without detection by GuardDuty.</li>
<li>The attacker may attempt to delete or modify CloudTrail logs to further obscure their activity and hinder forensic analysis.</li>
<li>The attacker completes their objectives, such as deploying ransomware or stealing sensitive data.</li>
<li>The attacker attempts to remove or obfuscate any remaining logs, making it difficult to trace back to the initial intrusion.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of a GuardDuty detector can severely compromise an organization's security posture in AWS. It allows attackers to operate undetected, leading to potential data breaches, financial loss, and reputational damage. The loss of GuardDuty's continuous monitoring can extend the dwell time of attackers within the environment, increasing the potential for significant damage. Organizations across all sectors that rely on AWS are at risk. The impact can range from data exfiltration and resource hijacking to full-scale ransomware deployment, depending on the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS GuardDuty Detector Deletion</code> to your SIEM to detect unauthorized deletions of GuardDuty detectors.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> from CloudTrail logs to identify the actor initiating the <code>DeleteDetector</code> API call.</li>
<li>Implement AWS Config rules or Security Hub controls to alert on changes to GuardDuty detectors or configuration states as described in the overview.</li>
<li>Restrict <code>guardduty:DeleteDetector</code> permissions to a limited administrative role using IAM policies.</li>
<li>Enable AWS CloudTrail logging and monitor for <code>DeleteDetector</code> events, ensuring logs are stored securely and retained for a sufficient period.</li>
<li>Investigate any <code>DeleteDetector</code> API calls that do not correspond to legitimate account decommissioning, region cleanup, or migration activity as described in the &quot;False positive analysis&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>guardduty</category><category>defense-evasion</category></item><item><title>AWS GuardDuty Member Account Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-guardduty-member-manipulation/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-guardduty-member-manipulation/</guid><description>Adversaries may attempt to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization to break centralized visibility, allowing them to operate undetected in member accounts.</description><content:encoded><![CDATA[<p>This alert detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. Attackers who have compromised a member account, or the administrator account, may attempt to break this centralized visibility by disassociating member accounts, deleting member relationships, stopping monitoring of members, or deleting pending invitations. These actions can precede or substitute for deleting GuardDuty detectors entirely, enabling attackers to operate undetected in member accounts while the administrator account loses visibility. The rule identifies successful API calls that manipulate GuardDuty member relationships within AWS, which are rare and warrant investigation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or an EC2 instance.</li>
<li>The attacker enumerates GuardDuty member accounts and the delegated administrator account.</li>
<li>If the attacker has compromised a member account, they attempt to call the <code>DisassociateFromAdministratorAccount</code> or <code>DisassociateMembers</code> API to break the connection to the administrator account.</li>
<li>Alternatively, if the attacker has compromised the administrator account, they call <code>DeleteMembers</code> or <code>StopMonitoringMembers</code> to remove or stop monitoring member accounts.</li>
<li>The attacker may also call <code>DeleteInvitations</code> to prevent member accounts from associating with the GuardDuty administrator.</li>
<li>After successfully manipulating the member account relationships, the attacker performs malicious actions within the affected AWS accounts, such as deploying malware, exfiltrating data, or establishing persistence.</li>
<li>The attacker avoids detection by the central GuardDuty administrator account because the compromised member accounts are no longer actively monitored.</li>
<li>The attacker may attempt to delete CloudTrail logs or other security configurations to further evade detection.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to a significant loss of visibility into the security posture of AWS member accounts. If GuardDuty monitoring is disrupted, attackers can operate undetected, potentially leading to data breaches, resource hijacking, or other malicious activities. The number of affected accounts depends on the scope of the attack and the attacker's objectives. This is especially critical for organizations relying on centralized security monitoring and incident response across multiple AWS accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS GuardDuty Member Account Manipulation&quot; to your SIEM and tune for your environment.</li>
<li>Restrict IAM permissions for <code>guardduty:DisassociateFromAdministratorAccount</code>, <code>guardduty:DeleteMembers</code>, <code>guardduty:StopMonitoringMembers</code>, and <code>guardduty:DeleteInvitations</code> to only authorized personnel.</li>
<li>Monitor CloudTrail logs for any unauthorized API calls related to GuardDuty member account manipulation.</li>
<li>Implement Service Control Policies (SCPs) to prevent member accounts from disassociating from GuardDuty administrators, as referenced in the overview.</li>
<li>Enable AWS Security Hub controls to detect changes to GuardDuty organization configurations, as mentioned in the hardening section.</li>
<li>Investigate any alerts generated by the Sigma rule &quot;AWS GuardDuty Member Account Manipulation&quot; by following the triage and analysis steps outlined in the rule documentation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>guardduty</category><category>defense_evasion</category></item></channel></rss>