https://detection.fyi/tags/attack.t1685.002/ Recent content in attack.t1685.002 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging/ Detects disabling, deleting and updating of a Trail https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_config_disable_recording/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_config_disable_recording/ Detects AWS Config Service disabling https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated/ Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.